Microsoft Launches Browser Security Website
Microsoft have launched a new website aimed at helping people identify how secure their web browser really is. www.YourBrowserMatters.org will tell visitors in a simple score from 0 to 4 just how secure they are when they go online.
In a blog post today, the company said that 24.4% of all web browsers are outdated and insecure. Of this 15.2% includes Internet Explorer 6 and 7 (it's odd that Microsoft are suddenly now calling IE7 insecure) and 7.5% are older versions of Mozilla Firefox.
In their breakdown by country the USA appears to be the worst offender with just under 22 million computers using insecure browsers. Brazil is second with just over 7 million, France is third with 5 million, the UK has 4.2 million and China has just under 4 million. I'm not completely sure where this fits with Microsoft's IE6 Countdown site which states that more than 25% of all browser usage in China is still IE6.
Microsoft's stats say that this 24.4% equates to around 340 million PCs worldwide. In a statement they said...
With that in mind, we’ve partnered with the Anti-Phishing League, Identity Theft Council, and Online Trust Alliance to raise awareness of the critical role browsers play in online security and make it as easy as possible for people to protect themselves.
The new website itself does more than just give your browser a health rating. There is useful information there on what malware is, with a useful video for the uninitiated. There is also information on what modern browsers do to keep people safe when they're online and also help and advice on how you can stay safer when you're online.
Oddly, what the browser doesn't do is bring the latest version of Internet Explorer front and centre, instead relegating it to a small download button hidden away on the website's last page. This is probably a very good idea given the organisations that Microsoft has formed alliances with for this project.
It is very true that you should always make sure you have the latest and most up to date version of whatever browser you are using, be that Internet Explorer, Chrome, Firefox, Safari or Opera and that you have installed all the latest security and other patches.
It is always good to see when companies try and give the public additional advice too. People can become too reliant on the web browser protecting them from 'everything' and they can then feel they can click around random links with impunity. In fact this is the best way to get your computer infected with malware, or have your identity stolen, and it is the responsibility of every Internet user to remain cautious and vigilant when online.
The Online Trust Alliance say of the project...
“The mission of the Online Trust Alliance is to enhance online trust and confidence. When it comes to online security and privacy, the browser plays an important part in helping to make the internet safer for all users. Since our inception, OTA has been a proponent of improving browser security and getting people to move to more secure platforms...  More must be done to help educate users on the need to move to more modern browsers and we applaud Microsoft’s leadership and collaboration in this important initiative.â€
Martin's take
Your Browser Matters is a new site by Microsoft and partners that aims to make Internet users aware of security in general, and the web browser they use in particular. Some users may decide to ignore the site completely considering that it is maintained by Microsoft, others might want to check it out to see what it is all about and if the points that it tries to make are valid.
When you open the homepage of the informational site in a supported web browser you get a score for that browser right away. The site unfortunately does not support beta versions of web browsers which means that I was only able to get a score for Internet Explorer 9. Neither Firefox Aurora, Google Chrome Dev nor the latest stable Opera version were compatible with the site.
Microsoft's Internet Explorer 9 scores 4 out of 4 points, which obviously is the highest possible score. Ed Bott ran Chrome Stable and Firefox Stable through the test and noticed that the browsers scored 2.5 (Chrome) and 2 (Firefox) respectively.
It all boils down to the test criteria. When you look at all of them in the screenshot below you will notice that Microsoft analyses how the browser handles the following four attack forms: Dangerous downloads, Phishing websites, Attacks on your browser and Attacks on websites.
You will also notice that no browser scores perfectly in all tests. Microsoft's Internet Explorer 9 for instance fails in three of the sixteen tests, Chrome in seven and Firefox even in nine tests.
When you look at the core differences you notice that Microsoft's Internet Explorer is the only browser in the test that passes all dangerous download tests which the company attributes to its SmartScreen technology. Both Firefox and Chrome fail in the tests.
All browsers pass the phishing websites tests. The attacks on your browser group of tests is divided into securing extensions and effective sandbox. Internet Explorer is the only browser according to Microsoft with the ability to restrict extensions and plugins on a per-site basis. The browser also passes the "benefits from Windows operating system features that protect against structured exception handling overwrite attacks" test where the two others fail.
Chrome on the other hand is the only browser in the list that passes the sandbox test.
Internet Explorer passes four of five tests of the attacks on websites test. It is the only browser that can automatically block insecure content from https pages and to sanitize HTML to remove potentially problematic code.
The question at this point is obviously if the tests are biased towards Internet Explorer by leaving out tests that might not be as favorable.
I can list a few missing tests without really thinking much about it, for instance:
- Is the browser protecting the user from third party extension or plugin installations?
- Does the browser warn the user of outdated plugins?
- Can users disable security related features, like JavaScript on a per site basis.
- Does the browser support different user profiles?
What I like about the site in general is that it offers information that educate users. The prevention tab for instance lists basic but important security information on one page.
Security is obviously only one feature when users pick a favorite browser that they use most of the time. There are other features like speed, extensions support or general compatibility with web standards that can make a difference.
What's your take on Your Browser Matters? Is Microsoft making a valid point here or is this just marketing mumbo-jumbo?
Before you answer note that that Internet Explorer 6 scores 0 of 4 points and Internet Explorer 7 1 out of 4.
Update: The website is being redirected to the The Beauty of the web website which does not display the information anymore that is mentioned above.
Advertisement
This is an excellent review. You should take a look at Browserscope. It offers something similar: http://www.browserscope.org
Microsoft’s FUD machine strikes again. :)
/m
Apparently, the site merely does browser-sniffing. Change the useragent string and get a different rating. I don’t like it and don’t think it adds any credence to Microsoft.
If Microsoft is genuinely concerned about the safety of the internet as a whole, in addition to shutting down botnets, it should disable the millions (?) of illegal Windows installations.
I’m afraid the phrase ‘pinch of salt’ comes to mind…
This kind of site has to be forbidden and the money that this kind of sites cost has to be put in a site, where not one of the browser’s has something to say about.
I mean, how are they trying to fool?
This is just sad.
I think MS genuinely believe IE9 is seriously safe (pity you can’t get it on XP) so I can’t blame them for trying to push it, especially when some people still trot out the usual “IE is unsafe, Firefox keeps you safe” crap. However, I don’t think this takes into account add-ons for Firefox and I’ll keep using it. The main web page doesn’t display properly for me in Firefox 7, the text on the right in the orange section is overwritten.
Good to have the second Part of the article (Martin’s take); it shades more light on the topic…
The test is definitely biased, for it is specially crafted for IE9. If Mozilla should also come up with their own testing portal, my bet is that they will beat up the competition too.
I see that MS gives themselves (IE 9) a 0.5 boost for warning about malware sites, but denies that 1/2 point to Google Chrome, even though Chrome does do that (and less dangerously than IE does).
Furthermore, using the MVPS.org hosts file largely eliminates that particular hazard, so basically MS is tooting their own horn unjustifiably, as usual. Still, if one ignores that particular bit of marketing fluff, it’s a good check for browser security. Unfortunately, people who don’t know any better are more likely to continue using IE 6 or 7 (I’ve even seen a few installations of IE5 recently) and won’t go check the site anyhow.
Checked :
Firefox v7.01 + ====>> Score 2 out of 4
Adblock Plus 1.3.10
Avast! WebRep 6.0.1289
Noscript 2.1.5rc2
Perspectives 4.2
Taco Abine 4.40
WOT 20110704
Internet Explorer v9.0.8112.16421, Default Conf ======> Score 4 out of 4
Opera v11.51 build 1087, Default Conf ====> We can’t give you a score for your browser.
Hummmmm… some more comparison data will definitely help i believe
Firefox is known for its add-on system. NoScript and WOT should at least count for something!
It also appears that the test is Windows-centric: see the “Effective Sandbox” section. Things may look very different on a Unix-based platform.
Also, the descriptions of the tests in that section are meaningless to the average user, and a better way of presenting the data is to give a rating in “Can attackers read data they shouldn’t?” and “Can attackers modify data they shouldn’t?”. This would also call more attention to the relative weight of the sandbox and extension security components of the test.