UK's security branch says Ubuntu most secure end-user OS

CESG, the UK government's arm that assesses operating systems and software security, has published its findings for ‘End User Device’ operating systems. The most secure of the lot? Ubuntu 12.04.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

I've been preaching the gospel of Linux security for decades now, but it's always nice to see proof-positive from an independent organization that Linux is indeed the most secure operating system around.

The Communications-Electronics Security Group (CESG), the group within the UK Government Communications Headquarters (GCHQ) that assesses operating systems and software for security issues, has found that while no end-user operating system is as secure as they'd like it to be, Ubuntu 12.04 is the best of the lot.


In late 2013, the CESG looked at the security of the most popular end-user operating systems for desktops, smartphones, and tablets [PDF Link].  This included: Android 4.2, Android 4.2 on Samsung devices; iOS 6, Blackberry 10.1, Google's Chrome OS 26, Ubuntu 12.04, Windows 7 and 8; Windows 8 RT, and Windows Phone 8. These were judged for their security suitability for OFFICIAL level use according to the UK Government Security Classifications (PDF Link). This is the UK's government lowest security level.

Ubuntu 13.10: A desktop tour (Slideshow)

According to Canonical, Ubuntu's parent company, "No currently available operating system can meet all of these requirements. Ubuntu however, scores the highest in a direct comparison. " Ubuntu 12.04 is Ubuntu's latest Long Term Support (LTS) version, and it's recommended for use by businesses. 

The CESG examined each operating system security on the following grounds:

● Virtual Private Network (VPN)
● Disk Encryption
● Authentication
● Secure Boot
● Platform Integrity and Application Sandboxing
● Application Whitelisting
● Malicious Code Detection and Prevention
● Security Policy Enforcement
● External Interface Protection
● Device Update Policy
● Event Collection for Enterprise Analysis
● Incident Response

Ubuntu has three problem areas that kept it from a perfect score. Others had more. Windows Phone 8 has the most "Significant Risk" items with two and Blackberry 10.1 Corporate has the most "Some Risk" areas with six. Where Ubuntu could stand improvement is in VPN, Disk Encryption and Secure Boot.

For VPNs, the CESG found that Ubuntu's "built-in VPN has not been independently assured to Foundation Grade." That means, technically Ubuntu's VPN is good enough, but it hasn't been shown to meet the security requirement by an independent third party. Canonical hopes to gets its VPN approved by April's Ubuntu 14.04 release.

Ubuntu faces the same problem with its built-in disk encryption tools: Linux Unified Key Setup (LUKS) and dm-crypt Canonical is seeking a company or organization to put its disk encryption software through the assessment process.

Like all Linux distributions, Ubuntu does support Microsoft's version of Unified Extensible Firmware Interface (UEFI)  Secure Boot. They're just not happy about it.

Canonical's current position, from Ubuntu 12.10 onwards, is "to adopt Grub2 as the default bootloader, with support for Secure Boot, but with an ability to turn off secure boot to modify the OS, if required. We believe this gives users and enterprises the best compromise between security and ability to customize after sale."

Problems aside, the simple truth is that if security is what you want most from desktop, smartphone, or tablet operating systems than Ubuntu is what you should be using.

True, security is always a moving target, but year-in and year out, Linux-based operating systems are more secure then their competition. As Windows XP's support clock ticks to its end of supported life, Ubuntu should be considered for your most security sensitive desktops. Its smartphone and tablet side, Ubuntu One, is still a work in progress. The most secure mobile operating system for now is Android on Samsung devices. 

Related Stories:

Editorial standards