Saturday, 22 August 2009

How secure is your browser?

You can learn a lot from the crims here:

Criminals running websites that push drive-by exploits overwhelmingly prefer the Firefox browser, according to a researcher who spent the past three months surveilling their browsing habits.

Mozilla's Firefox was used by 46 per cent of the exploit kit operators who were tracked in the study, according to Paul Royal, principal researcher at Purewire, a company that protects customers against malicious websites. One third of the Firefox users browsed using a 3.0 version, while 13 per cent had upgraded to the most recent 3.5 version.

Interestingly, Opera, which by some measures has only a 2 per cent market share, ranked second among the kit operators, with 26 per cent.

"I think that's probably because operators have a familiarity with the web threat landscape," Royal told The Register, suggesting that many black-hat hackers take a security-through-obscurity approach to making sure they themselves don't get hit. "It makes them wary of using mainstream browsers."

In a nutshell: use Firefox with the NoScript add-in and make your browsing life 90% more secure.


nbc said...

I guess that firefox is popular as many of the criminals are using linux based systems, which would rule out IE by default.

Alternatively, it could be that they're just fucking cheapskates and won't pay for an OS.

I agree with you that noscript is good, but it isn't a silver bullet.

micri said...

I tried NoScript, but found so many sites were missing various bits that I gave up and removed it.

It strikes me that the more secure you wish to be, the less enjoyable using the internet is going to be. I think most knowledgeable people will accept some degree of risk.

Those still using old versions of IE, and unpatched O/S's, or with little or no Anti Virus/Spyware protection are going to be the easy targets.

microdave said...

Bollocks! hit the send key too soon - should be microdave, not micri....

bayard said...

@microdave I agree: an awful lot of websites don't work properly with Linux/Firefox (including this one), but Linux/Firefox is a damn sight more secure.

David Gillies said...

I have NoScript at work where it matters but it's a right pain in the ringpiece.

The Paragnostic said...

nbc - NoScript is a sight better than waiting for vendors to fix exploits.

Besides, you can't get Interweb Exploder for real operating systems, so IE's right out of the game.

You can, however, run Firefox quite happily on insecure toy 'operating systems' emanating from Redmond, and it does perform better than IE and (with NoScript regularly updated) keeps you slightly more secure.

Running IE on Windows is akin to wearing no trousers on a Corfu yacht - you expect to get fscked.

nbc said...

@ paragnostic
Your reading comprehension needs some work.

microdave said...

I've just found the perfect solution to Internet Security:

Anonymous said...

I use either Firefox or Seamonkey, I have Firefox 3.5, but I believe Seamonkey 1.1.17 is faster, but I'm not sure about the security side of it, any help/advise would be appreciated.

Anonymous said...

Forgot, I just downloaded Firefox 3.5.2, but haven't really tried it.

The Paragnostic said...

nbc - from the tone of your comment I naturally assumed that you were a Microsoftie.

Please excuse my excessive extrapolation - perhaps you should have made it clear that the reasons the crims use linux is because it's more secure?