PoPular is Not Necessarily securewow.intsights.com/rs/071-ZWD-900/images/Web Browser... · 2019. 5....

Threat Intel l igence Real ized.

Threat Intel l igence Real ized.1 Web Browser Security Comparison: Popular is Not Necessarily Secure


Web broWser security comparison:

PoPular is Not Necessarily secure


IntroductIonBrowsing the Internet has become a minefield, where nearly any web page has the potential to infect a visitor’s endpoint (i.e., the user) and the endpoint’s entire internal network (i.e., the organization). If users are not careful, they can trigger malicious malware downloads or get fooled by a phishing website.

As a result, it is the CISO’s responsibility to define proper security policies and design a secure architecture to support the organization’s goals and needs, including which web browser the organization should standardize on. There’s a lot to consider when selecting a web browser, such as vulnerabilities, privacy, and other security capabilities, like spam filters, phishing detection engines, and URL security inspection. So how do you ensure you select the right browser that meets the functionality and protection standards that your users require?

This research report focuses on how today’s most popular web browsers perform against various security tests and triggering capabilities so that you can select the appropriate solution for your organization.


2 Web Browser Security Comparison: Popular is Not Necessarily Secure



our research MethodologyThis research focuses on triggering a browser’s security features and compares their overall effectiveness. For our research, we have examined the top five browsers in the industry:

We considered four parameters that characterize a browser’s security:

1. The number of vulnerabilities found in a browser over one year

2. The success rate for detecting malicious sites and malicious URLs

3. Verification of certificates

4. The browser’s privacy settings

Our research included several phases of tests, each giving us a collection of statistics that helped us identify the safest browser in use today.

To test against malicious URLs, we tested the browsers against a database separated into three types of data containing 100 entities each:

1. Phishing Sites

2. URLs Containing Malicious Payloads

3. Sites with Invalid Certificates

All of these entities were extracted from our own algorithm or gathered from known public sources. On the day of the test, all of the data was examined relevant required content, for example, the malicious URLs were confirmed to contain payloads. The phishing sites were sites discovered on the same day that the tests were conducted.

We also evaluated the number of vulnerabilities for each browser by looking at statistics from the Common Vulnerabilities and Exposures (CVE). In addition, we compared the browsers’ settings and privacy policies.

All of the browsers were tested using their most recent version on Windows 10. As part of our testing, we accounted for the fact that Apple has not supported Safari for Windows since 2012.

Edge - Microsoft

Security Suite

Chrome Opera SafariFirefox



Browsers PoPularItyThe Internet became public in 1991, with the first browser released in 1990. Over the years, different solutions have come and gone, and popularity has shifted among the various options, especially as new devices and technologies have come to market. When the first browsers were released, they were not security oriented, especially the ones created in those early years like Internet Explorer. Until 2008, Internet Explorer dominated the web browser market, even though competition became fierce when Firefox was released in 2004. In 2008, Google released their own web browser, “Chrome,” that was a real game-changer. In a very short time, Chrome was able to dominate and become the most popular web browser.

Browser popularity is primarily determined by user experience and its features. Firefox, for example, is a browser that is more suitable for technically-oriented users because it is an open source browser, as well as users who consider their privacy to be very important when browsing the Internet.

Google Chrome managed to gain its popularity because of its speed, user experience, and available add-ons (and also in part to a large promotional campaign).

The graph below presents the 2017 popularity ranking of web browsers. We have averaged the data from the following statistical sources that rate web browsers:

1. StatCounter Global Stats2. NetMarketShare

chrome 55.3%

other 9.5%

safari 15.2%

opera 5.7%

ie 7.0%

Firefox 5.3%

edge 2.0%

Figure 1: Browsers Market Share 2017



Browsers securIty FeaturesAs we mentioned before, vendors offer built-in security features within their browsers, which were developed to protect users from different threats when browsing the web. Looking at the four most popular browsers: Chrome, Safari, Edge and Firefox (IE is no longer supported by Microsoft), we found that all four of them offer the same basic packages of security features. These packages include the following features:

“sandboxing” mode: runs suspicious code in a separate, isolated environment to test for malware or malicious code before installing on your computer.

malware and phishing urL Detection: The browser uses feeds of known URLs, IP addresses, and domain names that are considered malicious.

automatic updates: All browsers use automated updates to remain on top of the latest threats.

Location Warnings: The browsers warn users when a website is grabbing information concerning their whereabouts.

SSL Certificate Verification: All browsers verify that each website a user tries to access has a valid SSL certificate.

Although most browsers offer similar security features, their protection capabilities can differ, depending on the way the individual user chooses to act and use these features. For example, the amount of days between installations of security updates differs from browser to browser. Browsers that install security updates more frequently tend to be more secure.

The Edge web browser provides an extended set of features, besides the basic package. Some examples of these are Windows Hello, which uses asymmetric cryptography that authenticates both the user and the server, or the change of the DOM representation in memory, which helps the browser protect against vulnerabilities, extending protection beyond security updates.

Updates Every 15 Days




Figure 2: Browser Update Release Frequency



Browsers detectIon MechanIsMTo help identify the safest web browser, our research focused on the question of how much impact these browsers have on organizational security. In order to conduct an accurate comparison between the browsers, we need to test the detection mechanism for each URL request. To evaluate this, we conducted our own tests and also leveraged public information published in the browsers’ forums.

Each browser executes several phases before it determines whether a website is trustworthy and allows it to present its content. The first phase is examining every URL against the local database (based on phishing website feeds and its own index) and online server query. If the browser determines that a URL is valid, it will set the connection with the server, either by HTTP or by HTTPS. If the browser determines that a URL is invalid, it will present a warning message to the user.

The second phase is verifying if the connection is secure, which is done during the SSL handshake, where the browser verifies the website’s certificates and presents the user a warning message if it is found invalid. If both of these phases are valid, the browser will use its sandbox feature to complete the last phase and examine any payload the site is trying to install.

From our research, there are two different mechanisms that each browser uses in order to detect malicious URLs and phishing sites:

1. Installing a local database containing a list of sites from these two categories. This list can be accumulated by either external feeds and sources or by the browser’s own detection mechanism. Every request by the user is hashed and checked against the databases and classified as either safe or malicious. For malicious classifications, if only part of the URL is verified as malicious (for example its domain name), the browser will query it against an online service. The URL is classified as malicious only if there is a complete match.

2. Sending a query for each user request against an online server, and also using a database of hash signatures in order to compare each website hash.

Research Disclaimer: We tested safari on Windows 10, but this only allowed us to test it using an old version from 2012, which may not contain all of

the updated security features in today’s version for apple users. However, in our phishing test, safari was able to detect most of the phishing sites within

less than 24 hours. therefore, we believe that even the old version is connected to the most updated feed. in addition, when we tested the malicious

urls, we saw that the browsers that detected these sites detected them in the last phase, the sandbox phase. since the sandbox feature is hardcoded

into the browser and not fed externally, using an updated version is critical for accurate results. For this reason, we have excluded the safari browser test

results for malicious urls.



results FroM PhIshIng sItes testIngThe samples of phishing sites that we used for testing were either detected by public sources we used (such as “Phishtank”) or by our own analysis and algorithm that detects phishing websites. From the 100 sites we tested, only 49 were detected by all five browsers, and two were not detected by any browser at all. These inconsistencies in performance show that the browsers are updated from different sources. Additionally, none of the browsers were able to detect all 100 phishing sites, meaning the quality of their sources may not be as strong as they need to be.

All of the browsers detected about 80% of the phishing sites we tested, which is a very close result considering they are updated from different sources (see Figure 3). We know that both Firefox and Chrome use Google’s safe browsing API to check the URLs that their users access, so their results were identical. However, the other browsers verify URLs within their own databases, which are obviously updated from different sources, since they detected different sites. Even though each browser detected different sites, their overall detection rate was very similar, making it difficult to give a definitive answer as to which browser has the better update resource.

0

25

50

75 82 82 78 78 78

100

Chrome

Prec

enta

ge o

f Det

ectio

n

Success

Failure

Firefox Safari Edge Opera

Figure 4: Microsoft Edge Phishing Website Warning Notifications

Figure 3: Phishing Website Detection Rate per Browser

phishing Detection results per browser



results oF MalIcIous url testIngAs mentioned before, detecting a malicious URL can be accomplished in any one of three phases. Our results showed that most of the browsers detected the malicious sites only in the sandbox phase. The two standouts in this test were Chrome and EDGE. Google Chrome was able to detect 86% of malicious payloads, with 50% of the samples detected in the first phase (by the URL hash), and the other 50% were detected in the last phase (in the sandbox). The Edge browser has a sandbox that runs through an app container. The sandbox is one of the functions in the feature called Smart Screen, which is implemented in Windows defender. This feature is also the one that checks sites against a dynamic list of reported phishing sites and malicious URLs. In this test, Edge performed the best, since Windows defender detected 96% of the malicious sites. Firefox and Opera didn’t detect any of the malicious URLs, which is very concerning.

Research Disclaimer: all browsers were installed in their most recent version on Windows 10. We are aware that apple has not supported safari for

Windows since 2012, which only allowed us to test safari against an old version from 2012. this version from 2012 may not contain all the updated

security features developed today. However, from our results we saw that in the phishing test, safari was able to detect most of the phishing sites within

24 hours. this led us to conclude that even the old version is connected to the most updated feed. in addition, when we tested the malicious url, we

saw that the browsers who detected these sites, detected it in the last phase (the sandbox phase). Due to the sandbox feature being hardcoded into the

browser and not an external feed, using an updated version of the browser is critical for accurate results. For this reason, we have excluded the safari

browser from the tests on malicious urls.

0

25

50

7586

96

0 0

100

Chrome Edge Opera Firefox

Figure 5: Malicious URLs Detection Results

malicious urLs Detection results per browser

Success

Failure



results oF ssl certIFIcates testIngA valid certificate is one of the parameters that browsers check when determining if a connection is secure. For this reason, each browser has a list of root CA’s (Certificate Authority) that it uses to verify the security of the connection. Some browsers have a CA root list in addition to the one supplied by the operating system, which increases its resource pool.

However, a valid certificate has many parameters that must be checked before it can verify a safe connection. For example, it must check whether or not the certificate has expired, if the website is encrypted with 256 bits and SHA-2, and if the certificate is issued by a trusted CA. All of these are checked by the browser during the initial connection.

Using our system, we extracted 100 sites that were detected as phishing sites by our algorithm. Our results showed that 13 of the 100 phishing websites had a common denominator of a certificate issued by Let’s Encrypt. Let’s Encrypt is a Certificate Authority (CA) for all browsers, which is a community that issues certificates for free without proper user verification. This allows hackers to acquire a valid SSL certificate for their phishing sites to present them to the user as secure.

We know that the browser first checks if the site is in its malicious URLs database, and then sends a request to the server. However, if the phishing site is not in the browser’s database and it has a certificate issued by Let’s Encrypt, it will not warn the user. On a more encouraging note, according to our test, the browsers blocked 87% of the invalid certificates, and they all blocked the same sites. This means that they all verify the certificates with the same root CAs.

Let’s Encrypt is a relatively new organization launched in April 2016 that issues SSL certificates for free. This has enabled hackers to more easily obtain SSL certificates, making it significantly tougher for web browsers to identify malicious sites. Although people have been taught to look for the Lock icon in their browser before they enter sensitive credentials, many of them will be easily fooled by this certificate being used for malicious activity, even if they give a quick look at the domain name. Even though Let’s Encrypt is a valid certificate issuer, it can be used by hackers to setup malicious sites. Because it’s recognized as a valid issuer, web browsers won’t suspect any site containing a Let’s Encrypt certificate. For this reason, we believe that every site with a Let’s Encrypt certificate should be examined further before presenting the website’s content.

Figure 6: Warning Notifications for Malicious URLs



VulneraBIlItIesA browser vulnerability can be very dangerous because it can serve as a gateway to breach a network and perform unauthorized actions. Therefore, we chose to examine this parameter and checked a number of correlations. The first one was to understand whether the browser’s popularity in the market affected the number of vulnerabilities found in the same year. Another correlation was to examine the number of patches the browser published regarding the number of vulnerabilities. We relied on vulnerabilities from the CVE list and derived browser popularity from StatCounter Global Stats. In addition, we looked at the update rate published by each browser’s vendor.

In our results, we did not find an obvious correlation between the browsers’ vulnerabilities and their popularity. We selected the data on a browser’s popularity for the past two years. As the results show, the vulnerabilities found in Chrome from 2016 to 2017 have decreased in contrast to its popularity, which has increased. Furthermore, the Edge browser, which has increased in the number of vulnerabilities found from 2016 to 2017, has maintained a relatively low popularity over these years.

In addition, we also wanted to examine the update rate for each browser and compare it to the number of vulnerabilities it had in the same year. For 2017, we see that Chrome had the best update rate and had a lower number of vulnerabilities in comparison to the other browsers, which had a higher number of vulnerabilities and a lower update rate. The buffer between the discovery of a vulnerability and the time for a vendor to publish a security patch can be abused by hackers to breach a network. In the past few years, we have seen many victims that were attacked because they didn’t patch their organization’s systems with the latest update. However, it is also the vendor’s responsibility to release updates as soon as a vulnerability is found.





Figure 2 (Repeated): Browser Update Release Frequency



Browser Market Share Vulnerabilities

Chrome 48% 172

Edge 2% 135

Firefox 5% 133

Safari 12% 56

Opera 6% 1


Chrome 55.3% 153

Edge 2% 202

Firefox 5.3% 1

Safari 15.2% 179

Opera 5.7% 0


Chrome 57% 22

Edge 2% 48

Firefox 2% 0

Safari 14% 0

Opera 5% 0

2016

2017

2018(Data through March 2018)

Browser PoPularIty Vs VulneraBIlItIes



PrIVacyBefore concluding our evaluation for the safest browser, we must look at the privacy settings. Every browser has privacy settings, which allow the user to increase their control over the information gathered by the browser.

We wanted to map the amount of control that browsers give users, and determine which browser is optimal in helping you keep your privacy. Our research concentrated on the settings accessible by the average user and checked which browsers are the most flexible in giving the user control over disabling information collection.

In addition to looking at the browser’s settings, we also examined their privacy policies. The information collected can be separated into personal information and general information. The personal information is information regarding the identification of the user such as name and email address. The general information is information the browser can collect from the user’s browsing activity.

In the browser’s policy, we can see that the browser uses this information to improve and promote more suitable products for the user and send page content to the vendor to improve their detection of malicious or phishing sites. The information the browser collects is not always for in-house purposes, but also for strategic partners that work with the browser’s vendor.

When comparing the settings between the browsers, we can see that Safari gives the least control to the user. It has only two categories in its settings that the user can control: managing the use of cookies and limiting location services of websites.

Google’s settings, on the other hand, seem to give the user the most options to disable data collection. It separates the collected data into categories, so users can decide which service they want the information to be channeled.

saFarI PrIVacy settIngs

Figure 7: Safari Privacy User Configuration



chroMe PrIVacy settIngs

Figure 8: Chrome Privacy User Configuration


conclusIonBased on our research, we determined that the Chrome browser was the safest browser to use today, since it scored highly across most of our evaluation parameters.

Even though Chrome had the best overall results, the other browsers weren’t very far behind. However, it is important to point out that none of them were able to pass our tests with 100% success. In the malicious payload test, some browsers failed dramatically. Even the browsers with the best results can’t be relied on since none were able to detect 100% of the malicious payloads. This is worrisome because it only takes one missed malicious payload to create a lot of damage.

Therefore, we can’t fully rely on browsers to alert us to suspicious sites. Most users know to use basic web browsing best practices in order to decrease their chances of encountering malicious sites. For example, look for the Lock icon when surfing a website to make sure it is secure. However, organizations like Let’s Encrypt make this difficult to trust, as we found many phishing sites that were able to fool users because they contained an SSL certificate issued by a valid CA. Additionally, many users trust the browsers to securely store their information but they aren’t aware that some of their information is shared with other external sources, such as third-party companies, and can be exposed at any time by supply chain attacks. This information dispersion increases your digital footprint, giving attackers additional information they may be able to use against you.

The Internet is critical to today’s world of business and communication. Employees need access to the web and typically use their preferred web browser to do so. However, they likely have limited knowledge of the dangers of today’s web and shortfalls of their preferred browser. Therefore, CISOs and security teams must be familiar with the strengths and weaknesses of various web browsers, and decide which browser(s) their employees should use.

chrome safari edge / ie Firefox opera

market share (2017) 55.3% 15.2% 9.0% 5.3% 5.7%

phishing test (out of 100) 82 78 78 82 78

malicious urL test (out of 100) 86 n/a 96 0 0

SSL Certificate Test (out of 100) 85 85 85 85 85

update Frequency (Days) 15 54 30 28 n/a

privacy setting customization High Low medium High medium

FinaL Web broWser comparison




aBout the researcher: orIn MorOrin Mor is a Security Researcher at IntSights, focused on hunting for new threats and threat actors on the Dark Web, and working to identify new attack strategies and vectors. Prior to IntSights, she served for 5 years as a Security Researcher in an elite intelligence unit in the Israeli Defense Forces, specializing in cyber operations, data mining and threat research.

about intsigHtsIntSights is redefining cyber security with the industry’s first and only enterprise threat management platform that transforms tailored threat intelligence into automated security operations. Our ground-breaking data-mining algorithms and unique machine learning capabilities continuously monitor an enterprise’s external digital profile across the surface, deep and dark web, categorize and analyze tens of thousands of threats, and automate the risk remediation lifecycle — streamlining workflows, maximizing resources and securing business operations. This has made IntSights’ one of the fastest growing cyber security companies in the world. IntSights has offices in Tel Aviv, Amsterdam, New York and Dallas and is backed by Glilot Capital Partners, Blumberg Capital, Blackstone and Wipro Ventures. To learn more, visit www.IntSights.com.

PoPular is Not Necessarily securewow.intsights.com/rs/071-ZWD-900/images/Web Browser... · 2019. 5....

Documents

Transcript of PoPular is Not Necessarily securewow.intsights.com/rs/071-ZWD-900/images/Web Browser... · 2019. 5....