WASHINGTON, D.C.—Your favorite Web browser is inching toward a more secure future, according to new research revealed at the cybersecurity conference ShmooCon here on Sunday.
Browsers that security researchers at the Cyber Independent Testing Lab tested on Windows, Mac, and Linux computers have added more security features over the past year, says Sarah Zatko, a former NSA mathematician who heads up the lab she co-founded with her husband, famed hacker Peiter “Mudge” Zatko.
“Open-source browsers improved the most. Firefox got a bit more organized, but [it] had the most to improve,” she says, pointing to bad security practices like failing to lock down temporary measures to allow older machines to run the browser.
Closed-source browsers performed about the same as before, she says, including Google’s Chrome, as well as Microsoft’s Edge and Internet Explorer. Apple’s Safari suffered setbacks during testing, based mostly on code introduced in the troubled OS X High Sierra, the report says.
In a statement to The Parallax, Google said it “appreciates” the CITL research. Chrome includes some optional security features, such as site isolation, that the CITL doesn’t test because they require extra effort from consumers to enable.
“The security research community’s findings help us strengthen Chrome’s security, and protect our users and their data,” a Google representative said. Mudge Zatko, it should be noted, is a former Google employee.
A Mozilla representative said the company considers a “variety of sources,” including directly reported bugs and third-party organizations such as the CITL. Similarly, a Microsoft representative said the company “listens to feedback” when improving Edge and IE security.
Apple did not return a request for comment.
The CITL, which thinks of itself as Consumer Reports for software (and has actually partnered with Consumer Reports to broaden its reach), is one of a few independent initiatives that analyzes code and publicly reports on its findings. Its report acknowledges that browsers are challenging to secure because of their inherent complexity. Major browsers contain millions of lines of code to which hundreds of developers contribute.
The road to make browsers safer, naturally, is not smooth. When the CITL initially confronted Mozilla about its poor security practices, the browser maker denied any wrongdoing, Mudge says. The maker of Firefox changed its tune and addressed the issues only after seeing the evidence, he says. A Mozilla representative said the changes were planned in advance.
“What matters is whether the person who’s reviewing the code is good at security,” Mudge says, comparing the implementation of security features in software code to those in cars. “Yes, you have seat belts, but are they good seat belts?”
If browser makers and other software vendors begin to respond to the research from CITL, hackers are likely to look at easier hacking routes, says Jeremiah Grossman, chief of security strategy at cybersecurity software company SentinelOne.
“If something’s working in securing the browser, the bad guys will go after other weak points: Java or Flash plug-ins, or browser extensions in the add-on stores,” he says. And, he notes, that’s been hackers’ modus operandi for some time. “So whatever the vendors are doing, overall, it’s actually working.”
However, the Zatkos say CITL is not looking to partner with the companies developing the software they test because they don’t want to “get gamed.”
“We are being very clear about what the tools are measuring. It should be fairly easy to test this yourself,” Sarah Zatko says. “I don’t want them to think we’re working for them. We’re working for the consumer.”
Update on Jan. 24, 2018 at 12:05 p.m. PST with comment from Microsoft.