Alright to star this one off I think I need to do a few house keeping items:
This blog is my opinion, thoughts or whatever you choose to call it. This does not represent the opinion of anyone or entity other than myself and should not be taken as a position of my employer or the developer community. Yada-yada you should understand this.
I currently work for Mozilla, the group/movement behind Firefox. I have also worked in the past for Microsoft.
Ok, now lets get started. Microsoft launched a site called yourbrowsermatters.org and right off the bat my first issue is that they did this under a .org banner. Which to most people means some nice non-profit is doing this, as that is what .org addresses are for. In my opinion, this is an attempt to hide the true backer of the site, Microsoft. Yesterday when this site showed up it had a nice Windows flag style icon on the bottom (today Oct-12-2011 this is gone). Unlike most Microsoft sites the Microsoft and Azure items are at the bottom and quite small. Nor does the methodology page (http://yourbrowsermatters.org/docs/methodology.pdf) mention Microsoft. The site does use a “Metro-style” interface and unless users are familiar that means little to them. As well the methodology doc has the same layout as many Microsoft docs, but yet again unless you are familiar I doubt one would notice this. So right off the bat this began to tickle my thinking.
Also this site does not really test anything. It takes the User Agent string from the browser (which can be changed) and returns a pre-built answer for that string. How do I know, well I used the User Agent Switcher add-on for Firefox to try this out and just by switching this string I get different answers. So they could have just as easily just produced a chart that showed what they think the outcome is. Also keep in mind this is for Windows only, this does not give a score for other operating systems or OS protection models.
ghackes.net did a nice write up on this as well, since this covered some of this nicely I suggest you read the analysis there as I don’t want to be repetitive on certain aspects.
So lets take a look at the whole criteria:
- Does the browser help protect you from websites that are known to distribute socially engineered malware?
Does your browser provide a distinct warning when you download and application that is of higher risk but not yet confirmed as malware?
- This is a rehash of the NSS Labs Socially Engineered Malware Report, on its face this is a semi-interesting report. but I think it’s also somewhat skewed. I am still working my way through all of this report, but my first concern is around making claims with fixed versions (Apple® Safari® 5, Google Chrome™ 12 , Windows® Internet Explorer® 9 Mozilla® Firefox® 4, Opera™ 11) used in the report but using that to infer about newer versions (namely Firefox 4 ≠Firefox 7 in capability). Our current rapid release process allows us to make all kinds of changes and using a static set to make an inference about something newer is just not something I can support.
- Yes there are going to be differences between SmartScreen in Windows and StopBadware used by others, but to think they would be this large seems off to me, again I need to do more analysis of the methodology. Also why Firefox and Chrome would be so different in results when using the same list is something that bears more analysis.
- So no, Firefox does not have this capability today and we are looking into adding it. What is it? Well you take the hash of the file being downloaded and if it’s known to be a problem you tell the user, if you don’t know, you tell the user. This could be good for users if you actually know something or if they don’t really understand what they are downloading.
Category: Phishing Sites
- Does the browser have a feature that can help protect you from phishing sites?
- Everyone gets marks for this as we all have something, so lets move along.
Category: Attack on your browser and its plug-ins
- Does the browser have the ability to restrict an extension or a plugin on a per site basis?
Does the browser have a system for auto updating browser extensions?
- This is a point of contention, only IE gets points her. Our plugin model is directly comparable, and this is a relatively important feature. Practically speaking it’s only “more secure” if plugins default to OFF and you let users build up a whitelist which is NOT what IE does. Chrome sort of does (yes for Java, no for Flash). We definitely have a different extension model. Compare Greasemonkey, where each installed user script has a default list of sites/pages it applies to but the user can manage that list. Given that extensions and plugins are very different how does one really rate this?
- This is one spot where Chrome and Firefox have a feature that IE currently does not.
Category: Effective Sandbox
- Does the browser process utilize Windows Protected Mode or implement a similar mechanism such that browser processes cannot modify parts of the system that it doesn’t have access to?
Does the browser extend the sandbox such that it cannot read data from parts of the system that it doesn’t have access to?
Does the browser benefit from Windows operating system features that protect against arbitrary data execution?
- As far as I can tell this is a literal use of the Windows Protected Mode, and no Firefox is not using this today for a variety of reasons.
Does the browser benefit from Windows operating system features that randomize the memory layout to make it harder for attackers to find their target?
Does the browser benefit from Windows operating system features that protect against structured exception handling overwrite attacks
- We do this, why this does not show up for some Firefox UA strings on this site I don’t know.
- So according to to the criteria doc link for this one this is talking about /SAFESEH, odd we don’t get a tick here as we do this on our Windows builds.
Category: Attacks on Websites
- Does the browser automatically block insecure content from secure (HTTPs) pages?
Does the browser filter out scripts on the client to help protect against Cross-Site Scripting (XSS) attacks?
- They are giving points for mixed content handling
Can the browser sanitize HTML to remove potentially problematic code?
- I think I can consed on this one, even thought we do have this feature landing soon.
Does the browser have features that websites can take advantage of to help protect you from Cross Site Request Forgery attacks, also known as “Click Jacking”?
- They are giving points for their own ToStaticHTML API usage, we’ve looked at it but there is not agreement that this is the correct what to help protect from web developers doing potentially dangerous things.
- So we all get points for something that are 2 different things CSRF is not also known as Click Jacking, so this one just confuses me. In fact these 2 items require very different mitigations.
So if we look at the “output” no browser has a”perfect” score, they all have things missing. The great disappointment here for me is this could have been a very good site to help encourage users who are on any older platform to pick a more modern one for safety; instead this has been warped into what I perceive as a marketing tool to promote IE. This was best said by Maxim on the email@example.com list“
I’m disappointed that Microsoft is using similar language to OTA’s Why Your Browser Matters campaign to serve as a marketing tool to pitch IE as superior to other browsers. The goal of this campaign was supposed to be to get people to upgrade older browsers to newer browsers, not to push one browser over another.
It’s particularly frustrating that Microsoft misrepresents Firefox as not protecting users from social engineering malware sites. This is patently untrue.
I shall now get off my soapbox for the time being.