Browsers shouldn't carry the can for poor security

Secure browsing is a prime concern of users these days, but it is hard to make the link between security levels and browser choice, says Rik Ferguson
Written by Rik Ferguson, Contributor

Despite the endless debate about online security, the fact remains that your browser alone will not keep you safe — whoever made it, says Rik Ferguson.

Last month, Microsoft started offering Windows users a choice of 12 browsers, as part of a deal with the European Commission.

Microsoft's browser-ballot screen has exposed millions of users to a choice that in many cases they may not have even been aware they were able to make. The ballot pop-up in Windows presents users with a randomised list of the five most popular applications for browsing the web — Internet Explorer, Mozilla Firefox, Safari, Opera, Google Chrome — plus seven others less well know programs.

There has been endless debate about which browser is the most secure. That's understandable because security is a prime concern when browsing these days. But security levels linked to browser choice are almost irrelevant.

Zero-day exploits
One example of this is the recent European government recommendations to switch from Internet Explorer to an alternative browser, following a zero-day exploit. Shortly after that, web users in Germany — businesses and consumers alike — who had made the switch to Firefox were urged to move again, this time from Firefox to another web browser as a measure against yet another zero-day.

Every browser has its flaws, vulnerabilities and lack of patches, as Pwn2Own at CanSecWest showed again recently. It is also worth noting that, apart from the browser itself, many attacks we are now seeing are aimed at the application plug-ins such as QuickTime, Flash or Acrobat, which are typically used in multiple browsers.

These exploits are realised through attackers crafting malicious versions of the various file types, which are intended to be viewed within a web browser. Since these vulnerabilities are not attached to the browser software itself, almost all web browsers regardless of brand are open to such attacks.

As alternative browsers battle for the top spot in the market, they are increasingly focusing on the security angle to attract and retain customers because of the public preoccupation with ensuring a safe computing experience.

Security tools
It's different strokes for different folks, and various security tools or techniques require varying degrees of familiarity with the browser, with technology — or with threats in general — to protect you effectively without ruining your internet experience beyond redemption.

Instead of switching browsers on the fly, users should update their security products and ensure systems applications and plug-ins are up to date at all times. It is also important to be wary of links, files and downloadable data on websites and any data that comes from unknown sources.

Disabling scripting — again, both in the browser and in other applications such as Acrobat Reader — or at least confining its use to trusted sites is also a good option to avoid falling prey to exploits that abuse script files.

In most cases, the best advice is stick with the browser with which you are most familiar, but take steps to secure it. If you succumb to a knee-jerk reaction and suddenly jump to a different browser, the resulting unfamiliarity may leave you less secure than before the change. Your browser will not keep you safe, whoever made it. You need to take steps to keep yourself safe, whatever browser you choose.

Rik Ferguson is senior security adviser for Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.

Editorial standards