SOLVED Browser Security discussion continued

[Ace]

Discussion broke off from this THREAD ...

IE9 (and IE8 for XP users) continues to prove itself to be the most secure browser so I sure would not blow it off. That is not to say the others are insecure, it just means you cannot use security as an excuse to dismiss IE. That would be naive at this point in history. Since the requirement to practice safe computing to keep your computer safe and secure is the same, regardless the browser of choice, your choice of browsers is just that, your choice. Pick the most current version of the one that has the "look and feel" you prefer.

That simply is not true. 10 years ago maybe (because of "badguys" not MS), but not today with Windows 7 (especially 64-bit Windows 7) and IE9. The computer user, always the weakest link, is the one that invites malware - not Microsoft.

Problems with IE are most often caused by misbehaving or corrupt add-ons. I would reset IE and see what happens. And if me, I would dump Norton 360 and Registry Mechanic. Spending money on an anti-malware solution is a waste of money when there are several very capable and free (with much less bloat) solutions out there, like the widely popular, MSE. And Windows 7 does not need any program that dinks with the registry.

Actually I disagree, IE 8, or IE 9 are still not the most secure. Microsoft has enough money to fund reviewers with some extra "initiative" to put them at the top, and it was proven in the past. IE is also the most targettable browser out there for hackers undoubtedly, which puts them at a higher risk. IE is definitely not as great as you think. I have been in the notion that Firefox is the most secure, and quite honestly it's proven that to me a few times with how strict it is for third party scripts to execute on a few pages that were deemed malicious. However i've done tons and tons of research on this in the past. Started looking into it about 2 or 3 years continuously now, and i'm reading that Opera is one of the most secure now. Google chrome was terrible back when they first came out, but their ability to isolate tabs and treat them like new processes is a security feature alone, because it won't affect your other open areas, in case say a script from one page is reading your (current) browsing sessions.

Not to mention IE is considerably slow on top of all of that, I know for a fact that it's not the best out there. I don't trust everything I read too knowing that Microsoft has tried to put out money for the better word on their part in the past. That could be with anything you read on the internet though.

 

[Digerati]

Actually I disagree, IE 8, or IE 9 are still not the most secure.

I provided a link because I don't expect anyone to simply believe me. You provided nothing - just blind following of rumors. Did you do any research before making these claims? You say you did but it would seem not. This is just MS bashing - now with false, unfounded claims about the integrity of NSS Labs, and that's sad. Since 2009, NSS Labs has accepted NO funding from any of the browser makers.

Microsoft's past has nothing to do with today. It is time to let your prejudices go. They don't apply anymore! NO DOUBT, Microsoft has used some questionable marketing tactics in the past, well deserving of bashing - and I've been right there - especially with their ill-conceived and poorly executed "Outreach Teams". But that does not apply here. MS has taken security seriously since buying Giant Antispyware and giving it away as Windows Defender.

If you check, you will see dozens of reputable sites have reported the NSS Labs findings, without debunking the report. Why? Because the reports are true. And I say reports because they come out every 3 months, and since IE8, IE has been on top - when it comes to malware that uses social engineering distribution methods - one of, if not the most common form of distribution (see Ed Bott's comments below).

New Report - NSS Labs Q3 2011 Report, note where it says,

It became obvious from this worldwide test and our recent European and Asia-Pacific tests, in comparison to our earlier global tests, that Microsoft continues to improve their IE malware protection in Internet Explorer 9 through its SmartScreen® Filter technology and with the addition of SmartScreen Application Reputation technology. With SmartScreen enabled and Application Reputation disabled, IE9 achieved a unique URL blocking score of 89.5% and over-time protection rating of 96%.

With a protection rating of 13.2%, Chrome 12 offered inferior protection to IE9, yet superior protection to Opera, Safari and Firefox.

Note this April 2011 Ed Bott Report. He provides an excellent explanation of social engineering. Note these excerpts:

Summary: Social engineering has become the dominant method of distribution for fake antivirus software these days. Google Chrome puts you at risk: in my testing, malware broke through Chrome’s defenses in four clicks. Internet Explorer 9 flags the exact same sites and files as suspicious.

Of special interest to me was his closing comment about the commitment Microsoft has made (in terms of money and people resources),

This kind of improvement isn’t just a matter of clever code. It takes a tremendous investment in back-end services and a huge commitment of resources—people and money—to do the necessary analysis. This is one feature that other browser makers—especially Google—desperately need to copy.

Is Microsoft paying off the U.S. Government too? I recommend anyone interested in security to sign up for the US Government's CERTS Vulnerability Bulletins. I note in this Aug 1, 2011, US-CERTS Report Chrome had 14 High (the highest rating) vulnerabilities reported that one week! The Aug 15, 2011, US-CERTS Report showed Firefox with 13! If you go back through the archives, you will see Firefox leads (in a bad way), by far. Chrome is much better than FF, but IE 8 and 9 have had much fewer than Chrome.

So, (1) an independent lab, (2) a distinguished author and IT journalist for ZDNet - a company never noted for their love of Microsoft, and (3) the Department of Homeland Security, United States Computer Emergency Readiness Team's official report and summary of new vulnerabilities recorded by the National Institute of Standards and Technology (NIST) all clearly find IE, in particular, IE 9 is tops in security, with Chrome a distant second, and the others further down.

You are certainly entitled to your opinion about which has the look and feel you like, but don't make statements of facts unless you back them up with supporting evidence - ESPECIALLY when it comes to security. Otherwise, you put your foot in your mouth, as was done did here.

So I say again, you cannot use security to dismiss IE - or Microsoft, for that matter.

As for speed - security trumps all. But to that, so what? So what if I have to wait 2/10s of second longer with IE? If it keeps my children and grandchildren safe, and my identify safe from badguys, the typically imperceptible speed difference is well worth it, in my book.

Interesting comment here: Datadownloading.com - Top Fastest Internet Browser 2011,

Internet Explorer 9 is only the securest browser not the fastest browser.

 

[Ace]

Summary: Social engineering has become the dominant method of distribution for fake antivirus software these days. Google Chrome puts you at risk: in my testing, malware broke through Chrome’s defenses in four clicks. Internet Explorer 9 flags the exact same sites and files as suspicious.

This points towards social engineered risks, which will always still be dependant on the user. With the new UAC control lots of users have been careless about allowing things to their computer because they find it annoying, and with UAC it's not necessarilly as much to protect you directly from malicious files, but more just to warn you, which would be the same event that this "flag" would be giving you.

You point towards general security with general security flaws. The flawed test you linked to claims to show how well a it blocks socially engineered malware. That means that it isn't the browser, but the user who determines the security. The user needs to click that file to download it, and then choose to run it on his computer. The test claims to show how each browser prevents the user from running that file on his computer right away, so to speak.

NSS Labs and Microsoft seem to want to fool people into thinking that it is the most secure, and by testing only that. Where is the other half of hiding the cookies locations so that hackers can't retrieve it from your computer as easily? Blocking and dealing with isolating malicious files more effectively? (Other than just a warning), and more other general security features. The fact that IE is a much more tempting target for hackers alone makes it "less secure." because as you said it's MS bashing. Some people hate Microsoft, i'm not a big fan of them in particular, but that's not just based on their name that i've been looking at. My outlook on them has been well deserved by their actions in a few cases in history.

If you want to look at security, look at something like secunia.com, which shows that Opera has fewer security holes in comparison to any other browser, and also patches security holes much faster.

The point is that the NSS Labs reports, nearly all of them, use flawed methodology, a poor sample of sites in which could be accounted for from as few as 10 external sites for testing, and not one person as far as I know has independently been allowed to look at the tests to verify them. In other words, it's pseudoscience.

All browsers block malware sites. The rest of them are quotes from people that don't provide any legit testing or reviews like you claim i've done in my first comment.

distinguished author and IT journalist for ZDNet - a company never noted for their love of Microsoft

As for this "Department of Homeland Security". You never can tell. Lots of things have been funded by the government, and government is driven by money. People have funded the government to pay for false statements on websites, TV, radio, etc... And I won't believe any of that until I can prove what I say. Personally I haven't found any security in IE outside of what you SEE. They seem to want to show you that they are secure, even with this socially engineered malware protection per say, but in the background, are they really? and how do you prove that? How well are they secure outside of letting you choose how secure you are on the browser? (The only protection i've noticed is that popup for downloading a file or analyzing the incoming data from a website).

I know that it hasn't blocked much java activity and different scripts from running as well as Firefox has done, (Chrome seemed to block it as well). It was a script that to my knowledge would run and steal cookies from your computer that could have possibly contained private secure data from previous internet sessions i've created from browsing. Chrome I know though for a fact, does handle onboard scripts more stricly than IE and Firefox. (It was proven with my knowledge from trying to develop a script for an extension, which wouldn't allow me to run it locally or externally as a file like my Firefox does with my addon for it)

In the end do you think anyone cares about security in the fullest for computer users other than the computer user themselves? It's all because of competition that it has advanced us this far, everyone wants to prove they are the best to get more sales and reputation. But that doesn't always mean that it's achieved through valid/proper means, which is why I have my own say on what I believe and what I don't believe. I'm the kind of person that has to see something firsthand to show what I really believe as true or false. So I have done personal testing, in which I can't show because those tests are terminated by now. I never thought I would need them to show out there because it was only for my personal use anyway.

 

[Digerati]

Where's your corroborating evidence for any of this? I am sorry but this is just nonsensical babble. Simple bashing by someone who admits they are prejudiced by the past.

My outlook on them has been well deserved by their actions in a few cases in history.

I don't have much good to say about Microsoft's past business and marketing practices either, but those have nothing to do with the quality of their products!

I'm the kind of person that has to see something firsthand to show what I really believe as true or false

:lol: And then, apparently, you expect others to automatically believe you and that it is okay to push your opinion on others. That does not work in technical discussions.

Note I have not based my statement on my opinion. I have not even given my own opinion because I deal with the facts. And you have provided none.

I may be arrogant, but I am not so arrogant to expect everyone to automatically believe what I say because I say so. So I provided evidence to MULTIPLE alternative sources to support what I said. You provided nothing! You just claim you ran tests but you failed to post your methodology - how ironic you bash others for doing the same thing.

NSS Labs and Microsoft seem to want to fool people into thinking that it is the most secure, and by testing only that.

What a silly, and misinformed statement!!! (1) Microsoft has nothing to do with the tests and (2) the stated purpose of the tests is to test protection from social engineering - which IS a major source of distribution for malware.

Your comments about Homeland Security, the US Government, and CERTS are just asinine. It is clear you have no clue the purpose of CERTS, or how it works and are just reaching for excuses to defend your weak position. I find that really sad.

Until you provide supporting evidence to your claims CERTS is corrupt, the NSS Labs findings are purposely skewed to favor MS, and Ed Bott is lying, I will take your comments as simple, biased MS bashing, and nothing more.

As I have said over and over again, you cannot dismiss IE due to security. And the steps you need to take to keep your computer secure (patched, updated, scanned and blocked) are the exact same regardless the browser you use.

 

[Ace]

Don't expect you to believe me, but you haven't provided any valid proof for your statement either, so i'm still waiting on that, since you eagerly want to disprove my opinion/comment about IE.

I have not even given my own opinion because I deal with the facts

Your facts are limited, you take the time to read my post on the things you want to reply to because you have something to say on whether or not my specific wording is wrong and only proves your statement farther, yet you didn't comment on the biggest concept of my last post.

What a silly, and misinformed statement!!! (1) Microsoft has nothing to do with the tests and (2) the stated purpose of the tests is to test protection from social engineering - which IS a major source of distribution for malware.

Major, (maybe), but not the only, which is where you go completely wrong with trying to prove to me based on what you think you know about IE being the most secure. Not saying you're wrong on what you've said, but you don't see the bigger picture here, which is really what every average computer would see in the view towards IE.

"It shows me warnings and popups that it's blocking dangerous stuff so it must be really secure because Firefox and chrome don't do that"

As said, I could do without the visual, and no security protection against socially engineered malware. Because I am more aware of what I do with internet connection to my computer. I don't need a popup to show me that something looks suspicious. I need to know that my browser has security outside of that computer protection for less knowledgeable people that don't use computers very often to know what is good and bad, or where the line is to show where they overstep their boundaries. Now to my main point, where is your proof that IE shows this? Right now i'm only focused on what you're attempting to prove to me here, in that just because IE protects well against socially engineered malware it's the best secure browser out there.(?)

Your comments about Homeland Security, the US Government, and CERTS are just asinine

Here's your opinion, so how can you prove to me that i'm wrong in any way for stating what I believe, and what others may think too? In my opinion that is being asinine.

Until you provide supporting evidence to your claims CERTS is corrupt, the NSS Labs findings are purposely skewed to favor MS, and Ed Bott is lying, I will take your comments as simple, biased MS bashing, and nothing more.

Touche, but I'm going to expect the same from you, and until then, you saying that i'm wrong about my claims toward them is still falsified to be given as facts that they aren't entirely corrupt.

As I have said over and over again, you cannot dismiss IE due to security. And the steps you need to take to keep your computer secure (patched, updated, scanned and blocked) are the exact same regardless the browser you use.

lol no... I shouldn't have to write out paragraphs for you here. You can do research before you get on my case about this too, but different browsers take different methods to protect a computer. They aren't the exact same. There's millions of different ways to code a function, some are better than others, some are more efficient and faster than others, some simpler, and some more complex, but they all work to some extent, and presumably, all have different security flaws. There is no true security, and no true one way of doing something in programming. I've been a programmer for several years now and I know this well.

My comments are uninfluenced here and remain unbiased, and strictly from reviews i've done, results i've seen from many different browsers i've used, and experience with programming which gives me a look into the way some of a web browser functions (especially the open source ones where I can take a look at some of the source codes to see what they are trying to do). Unfortunately IE doesn't do this but by the way it works, you can still gain some insight on some of the methodology they use for secure browsing. I have no reason to hate or dislike any side specifically. I'm speaking here strictly on the products.

 

[Digerati]

Don't expect you to believe me, but you haven't provided any valid proof for your statement either

That's a total false hood and you know it. I provided several links. Of course I don't believe you. You have provided nothing to support your claims, just feculent blather.

(1) YOU have failed to prove or provide ANY evidence to support your claim CERTS is corrupt.
(2) YOU have failed to prove or provide ANY evidence to support your claim NSS Labs intentionally skews results
(3) YOU have failed to prove or provide ANY evidence to support your claim Ed Bott is lying.
(4) YOU have failed to provide ANY evidence to support ANY of your claims.

So it is apparent you are incapable and have no intention of defending your position, so this discussion is over.

Have a good day.

 

[Ace]

That's a total false hood and you know it. I provided several links. You provided nothing, just feculent blather.



So it is apparent you are incapable and have no intention of defending your position, so this discussion is over.

Have a good day.

(1) YOU have failed to prove or provide ANY evidence to support your claim CERTS is corrupt.
(2) YOU have failed to prove or provide ANY evidence to support your claim NSS Labs intentionally skews results
(3) YOU have failed to prove or provide ANY evidence to support your claim Ed Bott is lying.
(4) YOU have failed to provide ANY evidence to support ANY of your claims.

I am waiting for you to prove me wrong however still before attempting to call my comments 'asinine' which you have failed to do. So I see this on both sides so far.

1) You or me can't go up to Microsofts front door along with any of the other industries or organizations brought into this discussion to ask for any receits or certificates that will prove either of us right. And if we could, Microsoft would deny any kind of fraud for funding a test done for their product because why would a business fess up to something that they know was wrong in the first place?

2) For that reason, I can't call you're statements wrong or right, but vice versa, you cannot either.

3) I was pointing out that the tests done from the link you provided was based on a partial aspect of browser security, when there's a world outside of socially engineered malware. I haven't found much proof in the form of tests online that I can deem as confirmed for being 100% accurate, but I do know how my personal internet has been experienced which definitely has a factor on what I have to say about different browsers out there.

4) This debate could go on forever, but who will ever know true facts just because they hear something or they read something on the internet? How do you know true from false to validate anything against either side, being either with IE or against it.

That's where I stand. Microsoft MVP is a good title to hold, and I'm sure you have a reputation for it, but I like to raise some questions before believing anyone and anything. Debates are good, you can either learn more from them, help someone out with something you know, and to the worst, they can go no where like this one has been so far. I have intention to defend my spot, but right now it's been mainly consisting of defending my side against your "evidence" against my side. I can't provide you valid proof, and for you to say that you can or I can would be very arrogant, unless you do have some lucky realistic valid proof other than words off the internet saying that something has been done to prove something else. If I could get my hands on some solid evidence, then by all means try to provide that for me, but there's been holes in almost any kind of evidence i've found out there. I just know that IE doesn't focus as much of it's security past a first-hand brick-aide with security warnings similar to a UAC, which do help in some cases past socially engineered malware, but not against everything.

 

[Digerati]

I am waiting for you to prove me wrong

Now you are just being ridiculous! I already supported my facts with links to supporting evidence. YOU came in with silly claims of government corruption, influence peddling and accusations of conspiracy, and who knows what concerning Ed Bott's report. You have provided NO supporting evidence to even suggest you might be right. And you have provided NOTHING to show my evidence is wrong.

I already showed where you are wrong by showing where I was right. It is YOU who must prove your position, or prove where my provided evidence is wrong. You have made no effort to do either.

YOU HAVE PROVIDED NOTHING but more feculent blather.

So please, find someone to support your wild claims, or stop wasting our time.

Remember, you are a nobody. Just a poster on a forum. Just like me. Don't be so presumptuous to think anyone should believe you just because you say so. That's really silly, and beyond arrogance. Provide some corroborating evidence to your claims or don't make them.

 

[Ace]

Now you are just being ridiculous! I already supported my facts with links to supporting evidence. YOU came in with silly claims of government corruption, influence peddling and accusations of conspiracy, and who knows what concerning Ed Bott's report. You have provided NO supporting evidence to even suggest you might be right. And you have provided NOTHING to show my evidence is wrong.

You're making the same claim that i'm trying to point out to you here. For one, you mentioned that one reference of yours was noted for their love of Microsoft, so why would you provide them as a resource for proof to me? NSS labs even if they did provide a false report, didn't even do a full analysis of security anyways, and the others, you still have no proof to tell me validly that they are right. To me it's just quote's on a screen. I know what I have seen and read over time, and i'm not looking to prove anything here, you can look around and do more research for yourself in a non-biased view meaning you're not trying to look for what you want to see out there, and consider all the possibilities here.

You throw around words like "asinine" and "ridiculous" without meaning at all. I use them with integrity, you use them as punchlines as far as I see it. You still insist on framing every post of mine as ridiculous just because I can point out reasonable facts as to why we are on this topic, and that being because no one really knows. We use other peoples's "findings" out there as a guideline because not too many people have the tools or knowledge to prove anyone wrong or right.

I already showed where you are wrong by showing where I was right. It is YOU who must prove your position, or prove where my provided evidence is wrong. You have made no effort to do either.

I have done this in every post i've made to you, but whether my posts were too long for you to read or you somehow keep missing my point, you obviously have not seen where I have tried to do this politely. Socially engineered malware is a mere Fraction of security in online internet browsing. You trying to prove to me that this makes IE the strongest out there is falsified with many holes. When people do research, they don't just say that because, per say, because a feather falls to the ground that it's all because of gravity. How do you account for that, and why it couldn't be anything else like airflow? density in a medium (being air in this case), and others? Same scenario here. You have only proved a fraction of the battle, and for that I can give you credit. But how do you know IE is great for security in other fields, and where is your PROOF to show me for that before you blatantly call me an idiot? I am looking for that, yet you avoid the question with your "blather" about how I have never proved anything here, and just for that, that I am wrong, which is twisted logic. This leads me to my next quote:

YOU HAVE PROVIDED NOTHING but more feculent blather.

So please, find someone to support your wild claims, or stop wasting our time.

Remember, you are a nobody. Just a poster on a forum. Just like me. Don't be so presumptuous to think anyone should believe you just because you say so. That's really silly, and beyond arrogance. Provide some corroborating evidence to your claims or don't make them.

I could quote your reply in a response back to you as well, and it's all fair and game. I never expected anyone to believe me, but i'm raising valid points as to why your ideas about IE could be wrong (I said "could", and because for you to tell me that you are absolutely right is wrong. You don't know that, I don't know that. But I know what I have seen and read in the past and present about quite a few browsers out there. And that isn't to prove you anything, I only need that information for myself, but you could take the initiative to do some testing and more research yourself if you are really determined to figure out a better solution for a web browser, IF IE isn't already the best).

Links you've provided me with proof came from Microsoft subnets, and Microsoft enthusiasts in some cases. To me I wouldn't rely on something like that. And it's the same reason for why I don't use official AV websites to see if they are good or not. Going to the symantec website to see how good Norton is, is just a waste of your time, going to Bitdefender to see how good norton is, is a waste of your time, but going to an outside, non-biased source (kind of like the referee in between) is probably more reliable.

I never would have expected from a Microsoft MVP that it would turn into more of a personal beliefs argument, but it would be more responsible of you to not say that i'm entirely wrong for the reasons i've given. I never claimed that you were wrong, I only wanted to see your reasoning for why you enjoy IE so much as being the most secure browser. I would choose sources more wisely as well.

Since you want proof so badly, i'm not going to provide it here in this post. I will go out and try to see what I can gather as information based on as far as I know with browser testing and information I can find. I'm not going to whip up something quick just to try and prove you wrong. I'll take some time out of my day to go ahead and do this.

 

[Digerati]

I have done this in every post i've made to you

Wrong! Another falsehood (do we need to say what falsehood means?) as everyone can plainly see for themselves by reading back through this thread. You have not provided a single link or shred of evidence to support any of your claims.

So here are the claims you made and what I expect you to provide corroborating evidence or else you are just wasting more time.

1. That NSS Labs skews their data as influenced by Microsoft
2. That the US Department of Homeland Security, specifically, CERTS is a corrupt organization that shows favortism towards Microsoft.
3. Ed Bott is wrong.​

If you can do that, don't waste our time. If your response does not include links to supporting evidence, I will not bother wasting my time reading it.

 

[TrainableMan]

It is pointless for you to try and convince each other so just agree to disagree. As I feared this is going to get heated by at least one of you so I will close it now.

The truth is I haven't even read half of this because it goes on & on!

People will use a browser because they like how it looks and feels and maybe how fast it works. Security, possibly unfortunate for them, is probably the last thing the basic and average user care about; they leave that to their A/V.

 

[Nibiru2012]

I KNEW you were gonna do this TM! I thought it would happen, just a few minutes ago as a matter of fact! LOL! You crack me up!

 

[clifford_cooley]

Thanks TM, I was getting close to closing the thread myself.

 

[TrainableMan]

It is one of those debates like Republican or Democrat. It gets very heated and yet few ever change their opinion so it is best to just shut it down and just let it go.

 

[Kougar]

If all the mods don't stop replying to a closed thread I'm gonna re-open it with an actual reply to both sides regarding the heart of the issue!!