It's not about the browser, stupid!
In his latest opinion piece, Davey Winder tackles the great web browser security debate.
COMMENT:When considering the security of your data how big a part does your choice of web browser client make?
Even typing that question sent something of a shiver down my spine, in a 'I hope nobody can see me asking that' kind of a way. Although some browser clients may be notionally 'more secure' than others, when talking about the mainstream choices none are actually safe nor unsafe, truth be told.
It's a bit like the guns don't kill people argument, although I've never heard of a web browser killing anyone (but Internet Explorer has driven me to suicidal thoughts in the past) the point is that people kill people and people use web browsers in an insecure manner.
A browser with hardly any market share is also going to have hardly any hacker interest in it but it won't save you from stupidity.
That's precisely why I was a little disappointed to discover there has been yet another study into web browser security published, the results of which appear to be at odds with another recent study into the same thing.
One report says that Google Chrome is the safest browser you can use, the other that Internet Explorer 9.0 is the most secure. I will ignore the small matter of Google being the sponsor of the study it ended up winning as, like I already said, it really doesn't matter to me anyway and nor should it to you.
It does, however, seem to matter to the director of security strategy at one large vendor who insisted on
explaining in great detail via email how web browsers are like cars. I will spare you the full argument, but the abridged version encompasses Maslow's Law of Hierarchical Needs whereby cars (and ultimately web browsers also) start their lifecycle competing on basic functionality alone, then move into additional features and efficiencies. The point being that just as when comparing the safety features of cars (is ASB 'safer' than air bags, for example) how do you determine if a browser with a sandbox is safer than one with an anti-XSS filter?
His conclusion being that the answer depends upon the crash test criteria and how the scores are weighted.
Why did he tell me all this? Because one browser security study primarily focussed on malware blocking while the other took the view that URL or application reputation were not that important. Hence the two different end results. Bananarama and the Fun Boy Three summed up online security pretty nicely when they sang it ain't what you do it's the way that you do it.
Visiting dodgy download and sharing sites, clicking links indiscriminately, believing everything anyone who emails you says will get you and quite possibly your enterprise in trouble no matter what browser you are using. Sure, a browser with hardly any market share is also going to have hardly any hacker interest in it but it won't save you from stupidity.
So invest in user education and decent endpoint security protection if you want to protect your data, and forget about how secure or insecure your browser is. It really doesn't make much difference anymore.
Unless you are still using Internet Explorer 6 that is, in which case I retract everything I have said up to this point and would like to replace it with a great big WHAT ARE YOU THINKING?
Yes, I know that there are still bespoke applications within the enterprise which use IE6 and which work perfectly well, but that doesn't make them perfectly safe unless they are totally sandboxed from the internet and the rest of your network. Even Microsoft is pleading with businesses big and small to follow the consumer lead and drop the buggy, unpatched, unsupported, full of holes pile of web browsing poop that is IE 6. I grant you Microsoft didn't use those exact words but I think that's what it meant...