James O'Neill's blog

Windows Platform, Virtualization and PowerShell with a little Photography for good measure.

IE 8 is safest. Fact.

IE 8 is safest. Fact.

  • Comments 2
  • Likes

Every now and then a news story comes up which reminds us that if people with bad intentions, even sensible people can fall into traps on-line. There was one such story last week where friends of the victim said she was “the sensible one” – if she wasn’t unusually gullible it could happen to anyone. I wrote about safer internet day recently and it’s worth making another call to readers who are tech savvy to explain to others who are less so just how careful we need to be trusting people on-line.  I got a well constructed phishing mail last week claiming to have come from Amazon I would have fallen for if it had been sent to my home rather than work account – it’s  as well to be reminded sometimes we’re not as smart as we like to think.

I’ve also been reading about a libel case. I avoid making legal commentary and won’t risk repeating a libel: the contested statement said that something had been advocated for which there was no evidence. I read a commentary which said something to the effect that in scientific disciplines, if your advocacy is not in dispute and someone says you have no evidence for it, you produce the evidence. Without evidence you have a belief, not a scientific fact.  This idea came up on later in the week when I was talking to someone about VMware:  you might have noticed there is a lack of virtualization Benchmarks out in the world, and the reason is in VMware’s licence agreement (under 3.3)

You may use the Software to conduct internal performance testing and benchmarking studies, the results of which you (and not unauthorized third parties) may publish or publicly disseminate; provided that VMware has reviewed and approved of the methodology, assumptions and other parameters of the study

imageTesting, when done scientifically, involves publishing ,methodology, assumptions and other parameters along with the test outcomes and the conclusions drawn That way others can review the work to see if is rigorous and reproducible. If someone else’s conclusions go against what you believe to be the case, you look to see if they are justified from the outcomes: then you move to the assumptions and parameters of the test and it’s methodology. You might even repeat the test to see if the outcomes are reproducible. If a test shows your product and yours is shown in a bad light then you might bring something else to the debate. “Sure the competing product is slightly better at that measure, but ours is better at this measure”. What is one to think of a company which uses legal terms to stop people conducting their own tests and putting the results in public domain for others to review ?

After that conversation I saw a link to an article IE 8 Leads in Malware Protection . NSS labs have come out with their third test of web browser protection against socially engineered malware*. The first one appeared in March of last year, and it looks set to be a regular twice yearly thing. The first one pointed out that there was a big improvement between IE7 and IE8 (IE6 has no protection at all  if you are still working for one of the organizations that has it, I’d question what you’re doing there).
IE 8 does much better than its rivals : the top 4 have all improved since the last run of of the tests. IE was up from 81 to 85% , Firefox from 27 to 29%, Safari from 21% to 29% and Chrome from 7% to  17%:

Being pessimistically inclined I look at the numbers the other way round : in the previous test we were letting 19 out of every 100 through, now it’s 15 – down by 21%: in the first test we were letting 31 of every 100 through so 52% of what got through a year ago gets blocked today. Letting that many through means we can’t sit back and say the battle is won, but IE8 is the only Browser which is winning against the criminals:  Google,for example, have improved Chrome since last time,so it only lets through 83 out of every 100 malware URLs -  that’s blocking 11% of the 93 it let through before from each 100. With every other browser the crooks are winning, which is nothing to gloat over - I hope to see a day when we’re all scoring well into the 90s.

I haven’t mentioned Opera – which has been have been consistently last, and by some margin, slipping from 5% in the first test to 1% in the second to less than 1 in the most recent. In a spirit of full scientific disclosure I’ll say I think the famous description of Real Networks fits Opera. Unable to succeed against Safari or Chrome , and blown into the weeds by Firefox,  Opera said its emaciated market-share was because IE was supplied by default with Windows. Instead of producing a browser people might want, Opera followed the path trodden by Real Networks – complaining to the European Commissioner for the protection of lame ducks competition. The result was the browser election screen.

I’m not a fan of browser election screen – not least because it is easily mistaken for Malware. To see the fault let me ask you, as reader of an IT blog, which of the following would you choose ? 

  1. The powerful and easy-to-use Web browser. Try the only browser with Browser-A Turbo technology, and speed up your Internet connection.
  2. Browser-B . A fast new browser. Made for everyone
  3. Browser-C is the world’s most widely used browser, designed by Company-C with you in mind.
  4. Browser-D from Company-D, the world’s most innovative browser.
  5. Your online security is Browser E's top priority. Browser-E is free, and made to help you get the most out of the web.

You might say (for example) “I want Firefox”, but which is Firefox in that list ? You are probably more IT savvy than the people the election screen is aimed at and if you can’t choose from that information, how are they supposed to ? You see, if you have done your testing and know a particular browser will meet your needs best, you’d go to it by name you don’t need the screen. People who don’t know the pros and cons of the options before seeing the screen might just as well pick at random - which favours whoever has least market share – which would be Opera.

The IE 8 Leads in Malware Protection  article linked to a post of Opera’s complaining that the results of the first test were fixed “Microsoft sponsored the report, so it must be fixed!” If we’d got NSS labs to fix the results a year ago would we stipulate that Opera should be so far behind everyone else? Did we have a strategy to show Opera going from “dire failure” to “not even trying”? Or that IE8 should start at a satisfactory score and improve over several surveys with the others static  ? But to return to my original point: the only evidence which I’m aware of shows every other browser lets at least 4 times as much Malware through as IE. The only response to anyone who disputes it is let’s see your evidence to counter what NSS labs found.Google have spent a fortune advertising Chrome: if Chrome really did let fewer than 5 out of 6 malware sites through they’d get someone else to do a [reviewable] study which showed that.

And since we’re back at the question of evidence, if you want are asked for advice on the election screen and you want to advocate the one which will help people to stay safe from Phising attacks – I don’t think you have any evidence to recommend anything other than IE.  But remember it’s not a problem which can be solved by technology alone. Always question the motives of something which wants to change the configuration of your computer.



Comments
  • <p>Interesting article James but you missed one key point of the test - The NSS study did not take into account vulnerabilities in the plug ins or browser itself.</p> <p>Thats a pretty big hole given that that plug-ins in particular are probably the biggest hole in browser security at the moment! &nbsp;I couldn't comment on which of the browsers has the most holes as it seems to me that only MS are open enough with that information.</p> <p>The NSS test is only looking at social engineering which no broswer can ever prevent 100%. &nbsp;I would argue that I could use Opera as safely as IE by using good firewall, anti-virus, anti-malware and intrusion detection products as well as having the sense not to ever open links in e-mails and always going direct to sites such as Amazon, online banking, etc.</p>

  • <p>Ran out of room on last post! &nbsp;I would add that I use firewall, AV, IDS, etc as a matter of course even when using IE8 and would suggest that it is (unfortunately) a basic requirement for any device connected to the internet (Apple fans take note!).</p> <p>Also, I realise the article was primarily talking about social engineering but you'd hope those of us in IT would know enough to prevent the obvious ones catching us out. &nbsp;For the average non-IT user the more the browser can do the better but as I said no browser (or indeed any bit of software) can ever account for the things people get taken in by.</p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment