This last point is particularly concerning because data from Net Applications shows that about a quarter of all PCs connecting to the Web are using an outdated version of their browser. This equates to about 340 million PCs worldwide.
This is a handy-dandy little webpage you can use to see how secure your browser is. Here’s my browser using Google Chrome:
My Firefox browser only gets a 2 out of 4, while Internet Explorer gets a 4 out of 4! Now, in fairness, this application was designed by Microsoft and so it is skewed towards the security features that Microsoft considers important. However, the grading system is transparent:
- Dangerous Downloads (1 point total) - Does the browser help protect you from websites that are known to distribute socially engineered malware? IE 9 gets 1 point, Firefox gets 0 and Chrome gets 0.
- Phishing Websites (1 point total) - Does the browser have a feature that can help protect you from phishing sites? IE 9 = 1 point, Firefox = 1, Chrome = 1.
- Attacks on your browser (1 point total) – Securing Extensions and an Effective Sandbox; also includes points for auto-updating, and a restriction for extensions and plugins. IE 9 = 1 point, Firefox = 0.5, Chrome = 1.
- Attacks on Websites (1 point total) – There are a lot of options here including blocking insecure content on webpages (which is kind of more annoying than what it’s worth, in my view), sanitizing HTML, and protecting against “Clickjacking.” IE 9 = 1 point, Firefox = 0.5, Chrome = 0.5.
You may not agree with these criteria for assessing security and if you were a Chrome user or developer; you might have your own. However, you’d be hard pressed to disagree that these security measures were not important. Microsoft worked experts at the Anti-phishing League, Identity Theft Council and Online Trust Alliance to come up with them, and therefore these are not simply Microsoft-approved measures with the intention of bumping up their score while downplaying others. Indeed, the entire point of the page is to get people to update their browsers; nearly 1/4 of users are using an out-of-date one (although the reason for that is not necessarily because they are too lazy or unknowledgeable to update, but because corporate users’ policy is controlled by their IT departments who will not let them upgrade).
I definitely think that IE 9’s “Dangerous Download” feature is a big plus for them. Over time, Firefox and Chrome will (most likely) follow suit because it’s a handy little feature that builds up reputation although the drawback is false positives. Still, it’s a good model to follow to protect users.
Indeed, I think that as time has passed, all three browsers are doing a good job at protecting their users and leapfrog each other with each release. This isn’t a bad thing, competition in the space is doing its job.
The one drawback of this particular site is that while it tells you if your browser is up-to-date, and it has links to update your version of Windows, it doesn’t tell you if all of your browser plugins are up-to-date. For that, I still recommend getting the Qualys Browsercheck plug-in. Based upon that, I am running the latest versions of all of my browsers and associated plug-ins except for Adobe Flash in Firefox and IE 9 (for some reason I have kept Chrome up to date. That doesn’t sound like me…).
The other thing I would do is change the structure of the Prevention page. In my recent talk at Virus Bulletin 2011, I gave a presentation entitled Practical Cybersecurity. In it, I spoke about how to educate users better, borrowing from techniques that education researchers have found work best to get people to learn new concepts. I will go into that more in a future post and the outline the changes that I would make.
Other than that, this site looks good.