With the launch of Internet Explorer 8 as the latest volley in the browser wars---IE vs. Firefox vs. Google Chrome vs. Apple's Safari---there's a lot of talk about speed, browsing improvements and rendering engines. Where does security fit into the equation?
Frankly, when I'm evaluating browsers---I use IE, Firefox and Chrome daily---security rarely enters the picture. Apple's Safari is the odd browser out for no reason in particular, but as hacker Charlie Miller notes Safari is the easiest to pop.
Safari on the Mac is an easy mark. Miller tells Naraine:
Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
Vulnerabilities have a market value. That means you need to ponder what browser bug could deliver the biggest bang for a malicious hacker. Miller notes that an IE bug is worth more than a Safari one.
Firefox on Windows is hard to exploit as is IE 8, according to Miller.
Google Chrome is tough to exploit because it takes a sandbox model---that's how Chrome can keep running even though a site crashes. In other words, a site crash means Chrome just loses a tab not the whole browser. However, Miller notes that if there's enough money on the table Chrome could be exploited.
Will these security factors matter more than add-on support, neat usability features and raw speed? Not just yet, but ultimately security will matter more---at least to the enterprise. In the not-to-distant future the Web browser will increasingly be running applications. That's what Google's Chrome launch was all about: The search giant wanted a stable platform for its Web apps.
And if you're going to be running applications and sharing important data via a browser security is going to matter---a lot.