New Research Says Chrome Browser "Most Secured" Against Attacks

Sorry JR, I was using an analogy. You're right, it's best not to mention the 'R' & the 'P' word. Most English pubs have rules about this LOL!

 

We're going to have to agree to disagree about this one.

 

I suppose so =p

 

My understanding of FUD is that it involves spreading untruths.
If all information presented is true, then FUD is, in my opinion, in the eye of the beholder, and probably says more about that individual's own set of prejudices than it does about the intent of the presenter of facts.
A fine definition of FUD can be found online.
It says:

Another source defines FUD this way:

 

That's how I understood FUD as well but I suppose you could use facts to scare people? I just usually think of FUD as being lies.

Either way, whether it's FUD or not doesn't detract from it being full of great and true information.

 

It's all just bollocks semiotics. To even consider that this 'report' isn't a thinly veiled attack on Firefox would be just patently dishonest.

 

Or, as Dan Goodwin notes in the article that vasa1 linked in post#2...

 

It all looks so innocuous doesn't it? I'm not fooled for one minute. As I said earlier, it's just business to Google.

"So what if we're evil: We're going full steam ahead, no matter what happens with the settlement." ~

Dan Clancy, Google Books executive (& possibly stroking Mr Bigglesworth at the time) about accusations on copyright infringements by Google.

 

Uncertainty and doubt is obviously the goal in the paragraph of possible FF extension vulnerability implications and the pic of a Noscript install.

It's like describing the possible hazards of having consumed alcohol before driving a car, listing possible injuries and worse and then posting a pic (of a random WSF member, taken when he had one beer) accompanied by the text 'This person only had one beer'.
It doesn't mean squat that he only had one beer and a picture was taken in his garden before he walked into his house, off to bed.
Due to the combination of text and pic, he'd be associated with drunk driving, death and mayhem.
Even if just 'facts' have been used.
Imo, I'd be creating fear and doubt about a person instead of presenting two separate 'facts'.

 

I downloaded the paper yesterday, but only a few seconds ago I started reading it. I'm on page 12 by now. So far, I found no FUD and lies, at all.

The first pages mention the sandboxing protection or lack of. It's all valid information and accurate. They didn't make the mistake of saying Google Chrome is invulnerable; they mentioned it's the most secure, and if we understand its sandboxing mechanism, well... it is the most secure. That doesn't mean it's bulletproof, it simply means it will be harder for it to be attacked.

I can't comment more, as I haven't gone that far in the paper. But, so far it's all very much valid information. No FUD.

 

It's a good read.

You won't be finding any lies in there - I read the whole thing and I've gone back to different parts.

It goes very far in depth. I had no idea how significant the differences between IE9 and Chrome's sandboxes are.

 

There's one thing that wasn't mentioned about Google/Google Chrome, and that's the fact that there's no vetting, in what comes to extensions in Google Chrome Web Store.

They did mention that Mozilla vets them.

In what comes to this, it's for Mozilla and for Google. This is something Google cannot neglect, any longer.

(Yes, I did search the pdf for the extensions. lol But, I'm still on page 17. I'm going to read more tomorrow.)

 

Yeah, I agree m00n. It's also important to keep in mind that extensions in Chrome are given less freedom (more limiting APIs) and I think that they should have mention both of these things.

Chrome does do a "Verified Author" though, it's just not a strong way to vet.

 

http://www.nsslabs.com/assets/noreg-reports/2011/The Browser Wars Just Got Ugly.pdf

NSS response.

They bring up that Google now implements application reputation heuristics and that's why their socially engineered malware scores are skyrocketing up.

They criticize this move because they aren't sharing it with their usual Safebrowsing API.


I'd love for NSS labs to release a comprehensive study like Accuvant has.

NSS's report lost a lot of respect when they said this:

This is idiotic.

It's very evident in this quote how they feel about the raw information:

 

Perhaps but read the following from the Accuvant report, page 17.
"The chart depicts the total number of vulnerabilities patched within the period of the dataset....However, what this could indicate is that Firefox has the most vulnerabilities because researchers have an easy time exploiting the vulnerabilities and thus pay more attention to Firefox.
Chrome may have the second most because they offer a bounty program so researchers pay more attention.
...The point is, any conclusion drawn from the data is speculation and the data does not aid in discovering which browser is most secure."

Ok, that's really funny, the data gives no solid reason for any conclusions because that would be just plain speculation. According to Accuvant, that is.

Still, there is reason enough for Accuvant to speculate that 'what this could indicate is that Firefox has the most vulnerabilities because researchers have an easy time exploiting the vulnerabilities...' and Chrome just hasn't got such issues because they've got money-driven bug hunters which means something completely else than easy exploitable vulnerabilities.
Two times speculation doesn't equal logic in my book also.

Yes, NSS Labs gives praise where praise is due but they and others point out also what is plain old propaganda, FUD and gross and imo insincere speculation.
One can wrap a turd with quality data but it still remains a turd.

 

Explains a lot of things. Especially:

 

This is hardly an argument. So, the malware sites are of public knowledge. The issue here is that Mozilla on its own gathers no data to protect their users. Their malicious domains protection data comes from Google's Safe Browsing.

lol

 

I agree that calling them out for using public lists is a nonargument. They took malware samples from public verifiable sources and tested the browsers against them.

 

They throw those out as possible wrong conclusions, conclusions that may typically be drawn by data like that when the data itself is inherently faulty. They point out right away that all of these conclusions make no sense.

 

Perhaps you've downloaded/read a different PDF version. Mine clearly states;

"The chart depicts the total number of vulnerabilities patched within the period of the dataset. A naïve interpretation would be that Firefox is the least secure, Chrome is in the middle and Internet Explorer is the most secure.
However, what this could indicate is that Firefox has the most vulnerabilities because researchers have an easy time exploiting the vulnerabilities and thus pay more attention to Firefox.
Chrome may have the second most because they offer a bounty program so researchers pay more attention.
Internet Explorer may have the least because they require more quality assurance overhead before creating a patch.
The point is, any conclusion drawn from the data is speculation and the data does not aid in discovering which browser is most secure."

Only the bold part is discarded as 'naïve'.
Did you notice the following word 'However'?
That's where they start the 'let's go wild speculation' tour until the last sentence, when all of a sudden any conclusion drawn is silly speculation.
But smartly put, only silly if it's based on the data.
Their gut feeling or hunch or guesstimate or whatever was reason enough though to write down the possible reasons for the different scores.

Just face it Hungryman, I know you're tenacious but you just can't make this turd smell like perfume. It's a turd. And it smells really bad.

 

Their conclusions, hypothetical and (as they pointed out) purely speculative as they are are seemingly bias.

I've said that right from the beginning.

It really doesn't belittle the research in my opinion. I haven't seen a paper this comprehensive before dedicated to browser security.