It was another grim day for internet security at the annual Pwn2Own hacker contest Wednesday, with Microsoft's Internet Explorer, Mozilla's Firefox and Apple's Safari and iPhone succumbing to exploits that allowed them to be remotely commandeered.Those are the big targets, and they're all full of holes - including Firefox, which I've been telling people to use the whole time I've been blogging.
Time for something different. Let's look at browsers and Operating Systems based on what I think are the key criteria. Of course, your mileage may vary, void where prohibited, do not remove tag under penalty of law.
Criteria #1: A Security Focus by the development team. If the software developers don't particularly care about security, and aren't bothered by security problems, then you're starting from FAIL. Some teams care a lot, and these are the products you want to seek out.
Criteria #2: A Rapid Update Model. Everything has bugs, and some of the bugs are security bugs. The faster the development team can get you a fix, the better off you are.
Criteria #3: Make yourself as small a target as possible. In the real world, we use our heads: avoid bad neighborhoods, don't fumble for your keys in a dark parking garage, etc. It's the same on the Internet. While using a much less popular software package is absolutely no guarantee of safety, it does avoid known bad neighborhoods, so to speak. If we assume that the Bad Guys are rationally motivated to make money, then they are more likely to spend their time cracking popular applications, rather than obscure ones.
I should say right now that Criteria #3 is controversial in the security geek community, but I recommend it anyway. The most that you can say against it is that it might not help. We know what's going on with the more popular apps.
So, how do the browsers stack up? If we give one point for each criteria, the browsers rank like this:
Opera: 3 points. The trifecta. I've always recommended this for online banking, although now I have to recognize using an Ubuntu LiveCD for online banking. But for regular browsing, this is your best bet. It wasn't in the pwn2own contest, because Criteria #3 made it more or less a waste of time for the attackers. You can use that to your advantage.
Firefox: 2 points. The development team has a long track record of taking security seriously, and they have a great update model. They're also a bug, big target, as the pwn2own contest shows. Consider moving to Opera if you use Firefox and you're on Mac or Linux; absolutely move to Opera if you use Firefox on Windows. (Boy, it hurt to say that)
Internet Explorer 8: 1 point. The IE development team has really got the security religion, and it shows. IE used to be a joke in the security community, but this version is establishing some real credibility. Unfortunately, updates come on Patch Tuesday, which means you have to wait a month for security updates. FAIL. Fail fail fail fail. Plus, it's a huge target, just like Firefox. It may be that all the security effort is too little, too late.
Internet Explorer 6 and 7: 0 Points. Not many people are still on IE6, which is very good. A lot are still on IE 7, and their companies won't let them move off it. So be it - their companies will have to deal with the malware. For home use, get off it if you're still on it - security has always been a joke for these.
Safari. 0 Points. From a security perspective, this is a sucking chest wound of FAIL. Apple simply doesn't take security seriously, the update is "whatever, whenever", and the pwn2own contest shows that it's "interesting". With 10-15% market share, that's for dang sure. No link to the download site, because you want to get off this turkey. iPhone users will need to be patient, but Opera has submitted an iPhone version to Apple for addition to the iPhone store. I'll let you know how that goes. Intentionally placed lower on the list than IE 6 and 7, because Apple should know better.
OK, how about Operating Systems? It's much harder to switch here than with browsers, but in the interest of completeness, here's the list:
Ubuntu Linux: 3 points. There are many flavors of Linux, but Ubuntu is the one that most people would consider for the desktop. You give up iTunes and PC games, however. Linux is a big target for Bad Guys, but on the servers. While it's possible that the Bad Guys could target the desktop in a big way, with 2% market share this seems very unlikely.
Macintosh OS/X: 1 and a half Points. Built from BSD Unix, it has a solid and proven security model. Updates are not great, so only half a point, and it's gaining market share, so no points there - it's a plausible target now, meaning it's likely a Bad Guy can make a living writing malware for it. But it's better than Windows.
Windows: I wish I could say something better here, because Vista and Windows 7 have added some much needed security features. But we all know what the story is here.
Let me close once more with a disclaimer: this analysis framework is by no means universally accepted in the security community. I believe that it's practical and understandable - after all, you need to know what to do and why, so there's considerable virtue in that.