UK's security branch says Ubuntu most secure end-user OS

UK's security branch says Ubuntu most secure end-user OS

Summary: CESG, the UK government's arm that assesses operating systems and software security, has published its findings for ‘End User Device’ operating systems. The most secure of the lot? Ubuntu 12.04.

SHARE:

I've been preaching the gospel of Linux security for decades now, but it's always nice to see proof-positive from an independent organization that Linux is indeed the most secure operating system around.

The Communications-Electronics Security Group (CESG), the group within the UK Government Communications Headquarters (GCHQ) that assesses operating systems and software for security issues, has found that while no end-user operating system is as secure as they'd like it to be, Ubuntu 12.04 is the best of the lot.

tux-guard

In late 2013, the CESG looked at the security of the most popular end-user operating systems for desktops, smartphones, and tablets [PDF Link].  This included: Android 4.2, Android 4.2 on Samsung devices; iOS 6, Blackberry 10.1, Google's Chrome OS 26, Ubuntu 12.04, Windows 7 and 8; Windows 8 RT, and Windows Phone 8. These were judged for their security suitability for OFFICIAL level use according to the UK Government Security Classifications (PDF Link). This is the UK's government lowest security level.

Ubuntu 13.10: A desktop tour (Slideshow)

According to Canonical, Ubuntu's parent company, "No currently available operating system can meet all of these requirements. Ubuntu however, scores the highest in a direct comparison. " Ubuntu 12.04 is Ubuntu's latest Long Term Support (LTS) version, and it's recommended for use by businesses. 

The CESG examined each operating system security on the following grounds:

● Virtual Private Network (VPN)
● Disk Encryption
● Authentication
● Secure Boot
● Platform Integrity and Application Sandboxing
● Application Whitelisting
● Malicious Code Detection and Prevention
● Security Policy Enforcement
● External Interface Protection
● Device Update Policy
● Event Collection for Enterprise Analysis
● Incident Response

Ubuntu has three problem areas that kept it from a perfect score. Others had more. Windows Phone 8 has the most "Significant Risk" items with two and Blackberry 10.1 Corporate has the most "Some Risk" areas with six. Where Ubuntu could stand improvement is in VPN, Disk Encryption and Secure Boot.

For VPNs, the CESG found that Ubuntu's "built-in VPN has not been independently assured to Foundation Grade." That means, technically Ubuntu's VPN is good enough, but it hasn't been shown to meet the security requirement by an independent third party. Canonical hopes to gets its VPN approved by April's Ubuntu 14.04 release.

Ubuntu faces the same problem with its built-in disk encryption tools: Linux Unified Key Setup (LUKS) and dm-crypt Canonical is seeking a company or organization to put its disk encryption software through the assessment process.

Like all Linux distributions, Ubuntu does support Microsoft's version of Unified Extensible Firmware Interface (UEFI)  Secure Boot. They're just not happy about it.

Canonical's current position, from Ubuntu 12.10 onwards, is "to adopt Grub2 as the default bootloader, with support for Secure Boot, but with an ability to turn off secure boot to modify the OS, if required. We believe this gives users and enterprises the best compromise between security and ability to customize after sale."

Problems aside, the simple truth is that if security is what you want most from desktop, smartphone, or tablet operating systems than Ubuntu is what you should be using.

True, security is always a moving target, but year-in and year out, Linux-based operating systems are more secure then their competition. As Windows XP's support clock ticks to its end of supported life, Ubuntu should be considered for your most security sensitive desktops. Its smartphone and tablet side, Ubuntu One, is still a work in progress. The most secure mobile operating system for now is Android on Samsung devices. 

Related Stories:

Topics: Security, Enterprise Software, Government UK, Linux, Open Source, Ubuntu

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

55 comments
Log in or register to join the discussion
  • Who determined that the most secure mobile OS is Andriod on Samsung?

    I would imagine there are many that would rightfully disagree with that.
    William.Farrel
    • Android security problem is mostly just a myth

      just one of 100 000 malwares made for Android can even in theory cause problems - especially with Samsung Security API.

      I found immediately after successful breakthrough that there is will be a massive FUD campaign by certain corporate (and you should know the name of that FUD poster and its moles in media).

      Funny how they never really scared folks with thousands times bigger danger for those using Windows PC because this is the ecosystem people really should worry. E.g every Windows PC is pre installed with NSA spyware.
      Napoleon XIV
      • Android security problems are reality...

        ...they just tend to require the user to root/allow 3rd party software/install a questionable app off Google Play - basically, require the user to make a mistake. That's a common issue with any Operating System.
        Don't get me started on this NSA hearsay.
        SupaRawr93
        • Android is the most secure mobile OS platform....

          ....so long as you are careful to avoid actively downloading and installing malware from random Internet sites.

          NSA provides a version of Android for US government and military and security services high security use. Why? because it is the most secure from cracking by foreign intelligence agencies.
          Mah
          • Android is the most secure mobile OS platform... in your dreams

            Yeah so basically Android is really secure as long as you don't use it at all.

            Since Play stores delivery mechanism is fundamentally flawed and relies on end user checking the safety of the applications, Android users can not download anything safely from it let alone from outside sources.
            Maraschino
          • As much as I love my android phon

            I imagine you are right. WIndows phone is probably the most secure just based off of Microsofts extensive experience in dealing with malware, and blackberry has a proven track record spanning a decade.
            blarelli
          • The Rise And Fall Of Redmond Empire

            There are still lots of talk about Windows "92% marketshare of pc". Although subsequently much would be made of Linux failure (desktop) this is simply a species of boasting by Windows advocates and moles in media, akin to a man claiming he was in good shape because his head was still on his shoulders while his arms and legs had been cut off.

            Down below there in bottom line are the pure facts: over 60% of new devices are now run by Linux and Windows is indeed in free fall.
            movetolinux
    • He quotes...

      "The Communications-Electronics Security Group (CESG), the group within the UK Government Communications Headquarters (GCHQ) that assesses operating systems and software for security issues".
      John L. Ries
    • different Gnu&Linuxes?

      Hi :)
      So they only tested 1 Gnu&Linux and ignored all the bits that are not default.

      This is a typical Uk gov type test. Step 1 is to avoid testing anything and step 2 is to say that tests have not shown anything. "There is No"??? They mean none in the sample.

      Outside the sample and even using non-default settings inside the sample there are highly likely to be systems that completely fulfill all their requirements.
      Regards from
      Tom :)
      Tom6
  • Be Serious...

    Stating that "Windows Phone 8 has the most 'Significant Risk'" completely discredits this paper. The OS is in fact so restrictive that most developers find it not versatile enough.

    Anyhow, this paper is being talked about here because it is comforting for SJVN in his deep beliefs. Windows is bad, Linux is better.

    For sure, a platform with less than 0.5% of the computing user base is not very attractive for malware writers. This has been talked about ad nauseam in these forums.
    TheCyberKnight
    • The report also stated that many red was

      "that it was tested, but that the software itself has not been independently assessed to make sure that it hasn’t been tampered with during the development process.

      You can also see from the comments made on each detailed assessment that nobody meets this requirement fully at this time.

      The best you can hope for is technical compliance with , which is the case for Ubuntu 12.04

      or independent assessment complete but missing technical features, like Windows 8, for example."

      In other words, once the verification and independent,and other data are in, things will change.

      It didn't say that Ubuntu was the most secure, it stated that met many requirements but also had independent assessment pending at the time of this publication.
      William.Farrel
      • What the study stated

        "As you can see from the table the only OS that passes as many as 9 requirements without any “Significant Risks” as independently assessed by CESG is Ubuntu 12.04 LTS"

        That is what the study stated verbatim.
        WhoRUKiddin
        • Right. But read the entire report

          to fully understand what is being said.

          SJVN said "see Ubuntu is the most secure" but the report never said that.

          " The key phrase is "as independently assessed". Not everybody's been/done with the independent assessment yet is what I'm reading from the article.

          Sure you can quote one sentence out of a book verbatim to claim anything, I'm just all for taking things in the context originally presented, something SJVN is not well know for.
          William.Farrel
          • Relax, I'm sure

            Microsoft will pay someone else to do a study that shows all Windows OSes are the safest in the world.
            WhoRUKiddin
          • Ubuntu is not even near the most secure OS

            because Debian Linux and FreeBSD are surely much more secure. Besides one Ubuntu developer himself posted last November anti Linux Mint FUD claiming Mint has security issues. Actually - even Mint is more secure than Ubuntu.
            Napoleon XIV
          • Ubuntu is not even near the most secure OS

            I do agree. Debian (Linux), CentOS (Linux) and likely FreeBSD too are more secure than Ubuntu.

            All Windows- and Mac-fanbois should finally admit these facts and stop posting nonsense. Windows has never been and likely would never be secure enough for operation system. It was never even made for internet world because it's just a stand-alone computer operation system. What especially Americans should know is that Mac OS X could really be even worse than Windows.
            MacBroderick
          • They are talking about client OSes

            ...in other words "End User OS"
            Mah
          • Off Radar

            EEEEE. EEEEE. EEEEE. Shake in your boots — check that — get some boots and quiver in fear Windows and OS X users. Your arrogance in not recognizing the Linux (and begrudging, possible FreeBSD) superiority will be punished.

            I put OpenBSD above FreeBSD as far as security goes. The Linux advocates tend to forget that there are variations in the BSD world. The PC-BSD folks have done some interesting work with application sandboxing. OpenBSD was focused on security. NetBSD on running on any thing. It's about choosing priorities and developing accordingly. The user/administrator makes a choice based on what they want to do and how much time they are willing to put into support of their implementations detail.

            Let's turn to the big kids. Security has a cost in ease of use. Those who are making operating systems aimed for mass use have that problem in addition to the problem of supporting diverse hardware.

            So, if I was absolutely, totally set to have security as my number one requirement, I'd be running OpenBSD on a desktop and dealing with the piecemeal updates in all the ports, especially the gui ones.

            But I'm not.

            And, that said, I worry very little about the inherent security of the operating systems I've deployed. (OS X and iOS for daily use, Windows 7 via VMWare for some client work, Xubuntu via VMWare for deployment testing and graphic data transformation tools, and FreeBSD for code repository and web apps for clients.)

            And, frankly, there is a friction element in that I don't use Xubuntu that frequently, maybe once every 8 weeks, and when I return to it there always seems to be a kernel update which requires reboot and re-installation of vm tools. I was sort of hoping to do what I wanted and suspend out.

            Well, that's the cost of doing business.

            Any way, I'm far more concerned that one of the pages I land on will have malware via compromised advertisement server or host.
            DannyO_0x98
          • Umm ... Ubuntu inherits all of Debian's security features ...

            ... and then does more on top of that (some of which moves upstream into Debian as well).

            Swing and a miss.

            But like most comments here, this has nothing to do with the definition of security being used in the report by the CESG.
            daboochmeister
          • Let's take a look at history (and the results were quite the same)

            http://en.wikipedia.org/wiki/Pwn2Own

            " Contest 2007

            The first contest was intended to highlight the insecurity of Apple's Mac OS X operating system since, at the time, there was a widepsread belief that OS X was far more secure than its competitors.[4] The contest took place from Thursday, April 18 to Saturday, April 20th, 2007. "

            And the result:


            http://www.theregister.co.uk/2008/03/29/ubuntu_left_standing/

            "CanSecWest A laptop running a fully patched version of Microsoft's Vista operating system was the second and final machine to fall in a hacking contest that pitted the security of Windows, OS X and Ubuntu Linux. With both a Windows and Mac machine felled, only the Linux box remained standing following the three-day competition. "
            MacBroderick