The best 5 secure browsers

It’s still a case of Mozilla Firefox v Internet Explorer v Google Chrome in most debates about browser security, which ends with a back and forth on which sees the most critical vulnerabilities, which has the best sandboxing architecture (or any sandboxing architecture), and which offers the best plug-in complements.

If that threesome sounds a bit limited there is also a fourth option, the Norwegian-made Opera, and perhaps Apple’s Safari for Windows deserves to be taken seriously too. But are these browsers generally now so exposed that it is now longer safe to use any of them?

One route is to abandon popular browsers altogether for a specialist ‘secure’ browser built to be secure above all other considerations. There are now a number of these around, most of which are free.

A second and more radical possibility, discussed later on, is to abandon any browser that runs on Windows, period. The assumption behind this approach is simple: if it is not running on Microsoft then it matters not which vulnerabilities it has because it is simply vastly less likely to be targeted.

For the record, we recently looked at a third possibility, that of adding security plug-ins to one of the popular browsers. That is a valid approach but for this article we assume that what the user wants is something harder – a fully secure browser.

There are different ideas as to what exactly makes a browser ‘secure’. Some deploy a range of hardening techniques while others involve starting a protected ‘virtual’ machine within Windows. A final but more extreme approach is to boot into the browser from scratch using a different operating system.

Currently, all three will work effectively because criminals trying to break browser security assume a vanilla setup used by the overwhelming majority of their targets. As time goes on and more users start using protected browsers, some of these assumptions will have to be revisted.

Comodo Dragon

A free 21Mb download for XP, Vista or Windows 7, Comodo Dragon is based on Chromium Project code used by Google for its own browser. It’s probably best to see it as an entry-level product because most of what it offers is not much above the evolving Chrome anyway.

Security feature include domain validation, some tweaks on privacy settings above those on offer in Chrome, and a cookie-blocking ‘incognito’ mode that is pretty much what you get with any browser nowadays. Worth looking at but probably marginal in terms of added security for anyone seriously worried about keylogging and data capture.

Download it here.

Dell Kace Secure Browser

A step up from Dragon is Dell Kace’s freeware Secure Browser, basically an entirely new version of Firefox designed to be run in parallel with the original one.  The advantage of running a new instance of the browser is that it firewalls everything happening inside that browser (including for possible insecure plug-ins) within its own virtualised sandbox, isolating what happens from the rest of the system.

Allows white as well as black lists of websites to be specified and feature process control which stops rogue applets from installing themselves without the user being aware. Secure Browser can also be used with Kace’s Management Appliance in a business environment if that doesn’t sound like management overkill.

Download it here.

IronKey S200 USB drive

Up another rung, IronKey’s S200 is more accurately an encrypted storage drive that also comes with a sandboxed version of Firefox on a USB key. Not everyone will want the whole package but it’s a valid way of securing an online banking session.

The IronKey works in a similar fashion to the Dell Kace, ‘virtualising’ the browser inside its own sandbox to control what programs on the inside and outside of this process can access. When used with named banks as part of a security system, man-in-the-middle attacks are stymied by running all sessions through an encrypted channel via an IronKey server. It also has a virtual keyboard app.

Check Point Abra

Is there a stage beyond even the IronKey? Check Point thinks so with its Abra USB key, which is really a sort of portable computing environment for business users developed in conjunction with SanDisk. It’s not cheap at £115 for a 4GB USB drive, and it’s not really for everyone, but road warriors should consider it as a way of carrying around an entire virtual PC with VPN that can be hosted on any PC without any traces being left behind.

Abra’s approach is to assume the host is suspect, firewalling a suite of apps inside a virtual environment, including a version of Internet Explorer. The environment launches straight from the stick after a passphrase has been entered, at which point all data moving between the two worlds (the encrypted stick and the host PC and its attached drives) involves a manual import or export. All data at rest is encrypted using 256-bit AES and no data is written to the host.

The software is a bit slow to start up but once running it is possible to move between the insecure host OS and the virtualised Abra session quite seamlessly.  

This will work as a standalone product but is ideally designed to be centrally-managed with set security policies, for instance restricting which sites can be visited.

Going Linux – Ubuntu, Koppix and others

As was suggested at the end of a previous feature on securing online banking, it might be easier for users to abandon Windows altogether and move to another operating system for certain kinds of use - or possibly all uses.

This is a pragmatic suggestion not a political one. Desktop Linux is a small community that even an influx of Windows users paranoid about online security would be unlikely to swell to a size that would make it worth the while of criminals to pursue. The Apple Mac has enjoyed penetration rates of 5 percent and is rarely bothered so there is some evidence to support this contention.

There are a number of ways to go about trying out Linux, starting with Ubuntu Linux 10.10, which (to sidestep some of the politics around sponsor Canonical), is one well-received option. This uses the GNOME while variants such as Kubuntu use the KDE SC. Take your pick.

As with most other Linux distributions, Ubuntu can be booted from LiveCD or USB stick, although the USB looks like being the more practical and speedier for the security use discussed here. The only requirements are that the PC or laptop allows booting from USB drives in the BIOS settings (older ones usually don’t), that persistence is set up to allow the drive to reboot each time with settings changes intact, and a drive of at least 1-2GB is used formatted using FAT32.

There are few other limitations which it is best to read up on. Tools are also available to allow Ubuntu run inside Windows. There’s also the Debian GNU-based Koppix, which runs entirely from a LiveCD.

A useful basic guide to installing Ubuntu can be found here, or at the project home page.

Moving to Linux, however temporarily, is not a perfectly secure option as the recent discovery of a cross-platform malware attack based on Java reminds us. But at a stroke it will cut out a huge portion of the most serious threats around today.

A more detailed guide to using Linux in the ways mentioned above can be found here.