The InfoWorld expert guide to Web browser security

Today's Web browsers have different security pros and cons, and none offers a magic bullet against threats. Here's how to keep your Web surfing secure

Which Web browser is guaranteed to make your Internet browsing experience perfectly safe? The answer is none, of course. If you have the need for high security on a computer you manage, then you shouldn't allow it to surf on the public Web. It's that simple. But if your need for security is not extreme, there are a number of things you can do to make your Web browser more secure and your Web surfing safer. Let this Deep Dive be your guide.

Internet browsers are highly complex pieces of software that interact with highly complex programming code, much of it not so friendly. There is no "super secure" browser. The number of known exploits against a particular browser exactly tracks to its popularity. No surprise there. Even secure alternatives to Internet Explorer, which all new browsers seem to claim to be, generally have been targeted by dozens of exploits. (Even the newest of these, Google Chrome, already has a dozen.)

Today, a significant portion of computer attacks comes from legitimate websites that have been maliciously modified. In short, limiting your surfing to only well-known, legitimate websites does not ensure a safe Internet browsing experience. And the problem will only get worse, not better, for the near-term future.

Browser security wars
About a year ago, I spent several months running the five most popular browsers -- Internet Explorer, Firefox, Google Chrome, Safari, and Opera -- through a battery of security tests. Much to my surprise, none of the browsers allowed malware to silently install on my test systems. In other words, if a fully patched browser is running on a fully patched Windows system (Windows XP Professional SP3, in my tests), then malware's best chance of success is fooling the user into willingly executing it. This is why socially engineered Trojan horses -- fake browser plug-ins, fake antivirus programs, etc. -- are so common. Beware.

Yes, there will always be zero-day exploits that can silently infect through a browser, but in testing, I found out that on every malware site that I visited (and I am confident that it was a good representative sample) each offered up an executable to install or tried to use an exploit for software that had already been patched. Using a fully patched system (all software, not just the browser) prevented all silent attacks in my real-world tests.

[ Download the InfoWorld "Web Browser Security Deep Dive" PDF special report. ]

Security iGuide

I spent weeks looking for zero-day exploits to test against, and by the time I found the sites, they had been taken down or the hole had been patched. This is not to say that zero-day exploits won't get some people. Obviously, they do. But they are a very small minority. The average user is far more likely (say, 99.999 percent probability) to come across exploits trying to leverage holes that have patches available.

Almost all the malicious websites I came across offered an executable to install, usually in the form of bogus anti-malware software or some sort of content player. In order to be infected, I had to intentionally run the offered executable -- not always, but nearly so. There was a smattering of sites that tried to use malformed or mismatched content to trick the third-party software into silently executing code, but it was uncommon; and when my system was fully patched, it never silently succeeded. The converse is also true. When I intentionally installed the offered malware, every browser allowed the underlying host system to become compromised.

The results back up everything I've been saying for the past few years. Your best defense against malicious attacks is a fully patched system (OS, browser, browser add-ins, and all other software), and educating your users to not install the bogus offered executable (which can often look very legitimate).

Nearly all real-life exploits use JavaScript to launch the executable. It's easy to disable JavaScript support in all the browsers, except for Chrome, but doing so can also cause problems with a high percentage of legitimate websites (throwing the baby out with the bathwater). Disabling JavaScript makes sense when an unpatched zero-day is launched and spreads rapidly (it does happen occasionally). But most serious zero-day exploits are patched within a few days, so the days of risk exposure are minimized.

Another interesting result of my browser security reviews: I was surprised by how many security features each of the browsers shared (antiphishing, cookie control, anti-XSS handling, pop-up blocking, file download detection, digital certificate handling, and so on). Each browser also presents certain strengths that will appeal to different users.

Making a secure browser
Many security pundits recommend any browser, but Internet Explorer as the best security defense. Although there is some safety in using less frequently attacked software, a better question is which is the safest choice among the most popular browsers? What are the most important security features to look for in a browser, and what are the weaknesses to beware?

Each new browser entry typically promises a more secure browsing experience, only to prove that making a truly secure Web browser is difficult. Each of the most popular browsers has dozens of patched vulnerabilities. Even the newest, Google's Chrome, released in beta form in September 2008, has more than a dozen exploits. Perhaps the strongest testament to how hard it is to make a secure Internet browser is the fact that even the text-only Lynx browser, which is as simple as a browser can be (it can't even display pictures or video without external programs), has had five vulnerabilities. If attackers can cause buffer overflows in a text-based browser, any browser more complex will have its issues.

In general, administrators must consider every Internet-connected Web browser as high risk. In very high-security environments, Web browsers aren't allowed to run or aren't allowed to render content from the Internet. But assuming your enterprise needs to browse the Internet and seeks a Web browser with an acceptable level of security, keep reading. A secure browser must include the following traits as a minimum:

  • It was coded using SDL (Security Development Lifecycle) techniques.
  • It has undergone code review and fuzzing.
  • It logically separates network and local security domains.
  • It prevents easy malicious remote control.
  • It prevents malicious redirection.
  • It has secure defaults.
  • It allows the user to confirm any file download or execution.
  • It prevents URL obscurity.
  • It contains anti-buffer-overflow features.
  • It supports common secure protocols (SSL,TLS, etc.) and ciphers (3DES, AES, RSA, etc.).
  • It supports Extended Validation, or EV, digital certificates. Browsers that support EV certificates display a special icon, or shade the address bar, when a user surfs to a site secured by one.
  • It patches and updates itself automatically (with the user's consent).
  • It has a pop-up blocker.
  • It uses an antiphishing filter.
  • It prevents website cookie misuse.
  • It prevents easy URL spoofing.
  • It provides security zones/domains to segregate trust and functionality.
  • It protects the user's website login credentials during storage and use.
  • It allows browser add-ons to be easily enabled and disabled.
  • It prevents mischievous window use.
  • It provides privacy controls.
  • It has been battle-tested by hackers over a sufficient period of time.

Another good place to start learning the detailed basics of Web browser security is Part 2 of the Browser Security Handbook, maintained by Michal Zalewski. The Browser Security Handbook gives a great introduction to many of the behind-the-scenes security policies that underlie most of today's browsers and indicates which features are supported in various browsers.

Read more about how to secure your Web browsers in InfoWorld's free PDF report, "Web Browser Security Deep Dive," including:

  • How to measure a browser's security
  • How each browser fared against our security tests
  • Browser security tips
  • Browsing behind mandatory integrity controls
  • Secrets of secure browsing connections
  • Browsers vs. XSS attacks

This article, "The InfoWorld expert guide to Web browser security," was originally published at InfoWorld.com. Follow the latest developments in information security at InfoWorld.com.

Copyright © 2010 IDG Communications, Inc.