Monday, March 29, 2010

All ur browsers r belong 2 us

Oh, foo:
It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered.
Those are the big targets, and they're all full of holes - including Firefox, which I've been telling people to use the whole time I've been blogging.

Time for something different. Let's look at browsers and Operating Systems based on what I think are the key criteria. Of course, your mileage may vary, void where prohibited, do not remove tag under penalty of law.

Criteria #1: A Security Focus by the development team. If the software developers don't particularly care about security, and aren't bothered by security problems, then you're starting from FAIL. Some teams care a lot, and these are the products you want to seek out.

Criteria #2: A Rapid Update Model. Everything has bugs, and some of the bugs are security bugs. The faster the development team can get you a fix, the better off you are.

Criteria #3: Make yourself as small a target as possible. In the real world, we use our heads: avoid bad neighborhoods, don't fumble for your keys in a dark parking garage, etc. It's the same on the Internet. While using a much less popular software package is absolutely no guarantee of safety, it does avoid known bad neighborhoods, so to speak. If we assume that the Bad Guys are rationally motivated to make money, then they are more likely to spend their time cracking popular applications, rather than obscure ones.

I should say right now that Criteria #3 is controversial in the security geek community, but I recommend it anyway. The most that you can say against it is that it might not help. We know what's going on with the more popular apps.

So, how do the browsers stack up? If we give one point for each criteria, the browsers rank like this:

Opera: 3 points. The trifecta. I've always recommended this for online banking, although now I have to recognize using an Ubuntu LiveCD for online banking. But for regular browsing, this is your best bet. It wasn't in the pwn2own contest, because Criteria #3 made it more or less a waste of time for the attackers. You can use that to your advantage.

Firefox: 2 points. The development team has a long track record of taking security seriously, and they have a great update model. They're also a bug, big target, as the pwn2own contest shows. Consider moving to Opera if you use Firefox and you're on Mac or Linux; absolutely move to Opera if you use Firefox on Windows. (Boy, it hurt to say that)

Internet Explorer 8: 1 point. The IE development team has really got the security religion, and it shows. IE used to be a joke in the security community, but this version is establishing some real credibility. Unfortunately, updates come on Patch Tuesday, which means you have to wait a month for security updates. FAIL. Fail fail fail fail. Plus, it's a huge target, just like Firefox. It may be that all the security effort is too little, too late.

Internet Explorer 6 and 7: 0 Points. Not many people are still on IE6, which is very good. A lot are still on IE 7, and their companies won't let them move off it. So be it - their companies will have to deal with the malware. For home use, get off it if you're still on it - security has always been a joke for these.

Safari. 0 Points. From a security perspective, this is a sucking chest wound of FAIL. Apple simply doesn't take security seriously, the update is "whatever, whenever", and the pwn2own contest shows that it's "interesting". With 10-15% market share, that's for dang sure. No link to the download site, because you want to get off this turkey. iPhone users will need to be patient, but Opera has submitted an iPhone version to Apple for addition to the iPhone store. I'll let you know how that goes. Intentionally placed lower on the list than IE 6 and 7, because Apple should know better.

OK, how about Operating Systems? It's much harder to switch here than with browsers, but in the interest of completeness, here's the list:

Ubuntu Linux: 3 points. There are many flavors of Linux, but Ubuntu is the one that most people would consider for the desktop. You give up iTunes and PC games, however. Linux is a big target for Bad Guys, but on the servers. While it's possible that the Bad Guys could target the desktop in a big way, with 2% market share this seems very unlikely.

Macintosh OS/X: 1 and a half Points. Built from BSD Unix, it has a solid and proven security model. Updates are not great, so only half a point, and it's gaining market share, so no points there - it's a plausible target now, meaning it's likely a Bad Guy can make a living writing malware for it. But it's better than Windows.

Windows: I wish I could say something better here, because Vista and Windows 7 have added some much needed security features. But we all know what the story is here.

Let me close once more with a disclaimer: this analysis framework is by no means universally accepted in the security community. I believe that it's practical and understandable - after all, you need to know what to do and why, so there's considerable virtue in that.


bluesun said...

I was wondering, with firefox, since it has so many add ons--do those help or hinder? Especially the security ones? Or does bloating it up make more holes for hackers?


bluesun said...

And just have to say: "Holes for Hackers" sounds like a good name for a rock band.

Borepatch said...

Bluesun, quite frankly I don't run any. I ran Noscript for a while, but it breaks stuff.

I agree that more add-ons means more code, which means more targets. And it would be a good name for a band.

NotClauswitz said...

I only run Adblock and Flashblock in Firefox.
We just got a new PG&E "Smart Meter" - so now they can shut-down our power if we go over during a Spare The Air day or somebody else can do that to the whole Grid.
I bet they use Internet Exploder at PG&E to scan the Grid because they also probably use Oracle...

Borepatch said...

We just got a new PG&E "Smart Meter" - so now they can shut-down our power if we go over during a Spare The Air day

Err, or someone else can shut down your power.

I bet they use Internet Exploder at PG&E to scan the Grid because they also probably use Oracle...

Or you (or someone else) could use Their Powers to do this. Of course, you'd never do this ...

Ian Argent said...

#3 makes (almost) all of this moot - one of the reasons we use computers is to be able to use one chunk of hardware to do an infinite amount of tasks; and because of network effect, there's an extremely good reason to use what everyone else is using.

For web browsers; as long as they are all standards-adhering AND the web sites are all standards-adhering, there isn't a network effect. Use what you like. But fragmentation of market share means fragmentation of profits. As it is (and despite what the EU would like to conjure up) there's always going to be a "default" browser in your OS, which means the alternative browsers (whatever they are) must compete with "free". It can be done, but it's hard. Kudos to Opera and Firefox for doing it.

But for OS - the more you fragment the market, the less software vendors are going to target each individual fragment. You can see this happening to Windows Mobile - I'm a longtime WinMo user, and even before MS drive a stake through the heart of WinMo; the new apps just weren't coming out for it; eveyone is on iPhone, and now on Android. So of course I'm secure from rogue apps and targeted exploits; but I'm also secure from being able to use my phone. Google has an amazingly feature-rich interface for email and reader. But the email interface is only available to webkit-based browsers (and until recently the reader interface was as well - they only comparatively recently made it work in Opera Mobile).

I don't have an answer; other than figure out some way to economically insure against cybercrime the way we insure against regular crime. The world has have millenia to come to terms with "locks only stop honest men". We're going to have to come up with that answer for internet-based crime.

If we can...

Jay T said...

How difficult is it to install Ubuntu on a three year old Dell Desktop?

TOTWTYTR said...

If I were to install Ubuntu, is there a Windows emulator that I can install to run Windows programs? There is a lot of stuff out there that won't run on Linux or Apple computers.

Which of course hackers know.