Is Chrome The Most Secure Browser Or Is Google Gaming The System?

A new study on browser security has raised a storm of contoversy

Last July I wrote about a study by NSS Labs about which browser was most secure.  Based on "socially engineered malware", NSS Labs concluded that Microsoft's IE was most secure. That certainly went against some of the traditional thinking in the security space.  Recently the folks at Accuvant LABS have released a new study on browser security which indicates that Google's Chrome is most secure.  The fact that Google sponsored and paid for this study has given rise to quite a bit of controversy.

I have been following this story on my own personal blog, Ashimmy, After All These Years, but since it involves the open source Mozilla Firefox and the open source based (there is a difference) Google Chrome, I wanted to make sure readers of my blog here were aware of the controversy.

Accuvant LABS is a respected division of the Accuvant a well-known national security VAR. It seems that Google hired them or at least sponsored them to do a study on browser security. The report is available here.  The report concluded that Chrome was most secure and it was widely reported.

My friend Bill Brenner, editor at CSOOnline wrote a piece in his Salted Hash blog saying that while he didn't think Accuvant's conclusion was wrong per se, the fact that the study was sponsored by Google, the makers of Chrome left him at the very least "uneasy" and he was "skeptical".

I responded to Bill's post with a post of my own saying that this is the problem with most product reviews, awards and analyst reports that we see today. Many are sponsored by vendors and providers mentioned in the research, many are flat out for sale and you don't know what effect personal relationships have in the outcome.  When you peel the onion back a few layers, too many of them are just not objective enough and they seem to be slanted one way or another. 

I suggested one method that I liked to put the objectivity back into reviews was the method adopted by NSS Labs. Rick Moy and his team do not charge vendors for their research.  They charge end user customers, so the vendors and product and service providers don't have much influence. 

Ultimately though the readers of these reviews and such have to make their own choices regarding how much weight they put in them. They should look at all of the available facts and like a juror deciding how much weight to give evidence or a witness's testimony, they have to decide how to rely on them.

Well Rick Moy, the CEO of NSS Labs wrote me last night with some more news on the Accuvant study.  NSS Labs CTO Vik Phatak had a blog up today titled "Did Google Put a Hit Out on Firefox?".  Vik pointed to a pdf that NSS published called "The Browser Wars Just Got Ugly". 

The paper by NSS Labs details some suspicions about how the testing was conducted and also about some potential actions that Google may have taken which could explain the results that Accuvant arrived at. To say the least the NSS paper casts some serious doubt on Accuvant's findings and Google's actions here.

Now keep in mind, I am not accusing anyone of anything here. I know the Accuvant team and they are a quality bunch. I know the NSS folks as well and they call them as they see them.  I don't know who if anyone is wrong or who is right. But this is the problem when you have vendors sponsor their own "independent" findings.

So you can take a read of both and you can decide for yourself which browser you think is more secure.  As important, how much value do you place on these type of reports anymore? What about awards, product reviews by magazines? Analyst reports? Magic Quadrants? I am interested to hear!

• Security
• Software
• accuvant
• Alan Shimel
• Apple
• bill brenner
• Chrome
• FireFox
• Google
• Internet Explorer
• mozilla
• NSS Labs
• Safari