Test Center guide to browser security
Chrome, Firefox, Internet Explorer, Opera, and Safari have different security advantages and shortcomings. More important than the browser you choose, however, is how you maintain and use it.Follow @rogeragrimes
Making a secure browser
If you're looking for the perfectly secure browser, stop looking. Each new browser entry typically promises a more secure browsing experience, only to prove that making a truly secure Web browser is difficult. Each of the most popular browsers has dozens of patched vulnerabilities. Even the newest, Google's Chrome, released in beta form in September 2008, has nearly a dozen exploits already. Perhaps the strongest testament to how hard it is to make a secure Internet browser is the fact that even the text-only Lynx browser, which is as simple as a browser can be (it can't even display pictures or video without external programs), has had five vulnerabilities. If attackers can cause buffer overflows in a text-based browser, any browser more complex will have its issues.
In general, administrators must consider every Internet-connected Web browser as high risk. In very high-security environments, Web browsers aren't allowed to run or aren't allowed to render content from the Internet. But assuming your enterprise needs to browse the Internet and seeks a Web browser with an acceptable level of security, keep reading. A secure browser must include the following traits as a minimum:
* It was coded using Security Development Lifecycle (SDL) techniques.
* It has undergone code review and fuzzing.
* It logically separates network and local security domains.
* It prevents easy malicious remote control.
* It prevents malicious redirection.
* It has secure defaults.
* It allows the user to confirm any file download or execution.
* It prevents URL obscurity.
* It contains anti-buffer overflow features.
* It supports common secure protocols (SSL,TLS, etc.) and ciphers (3DES, AES, RSA, etc.).
* It patches and updates itself automatically (with the user's consent).
* It has a pop-up blocker.
* It utilizes an anti-phishing filter.
* It prevents Web site cookie misuse.
* It prevents easy URL spoofing.
* It provides security zones/domains to segregate trust and functionality.
* It protects the user's Web site logon credentials during storage and use.
* It allows browser add-ons to be easily enabled and disabled.
* It prevents mischievous window use.
* It provides privacy controls.
* It has been battle tested by hackers over a sufficient period of time.
Another good place to start learning the detailed basics of Web browser security is Part 2 of the Browser Security Handbook, maintained by Michal Zalewski. The Browser Security Handbook gives a great introduction to many of the behind-the-scenes security policies that underlie most of today's browsers and indicates which features are supported in various browsers.