Evaluating Browser Security Metrics for Better Protection

In assessing browser security, it's crucial to use meaningful metrics for a comprehensive evaluation. This analysis delves into various metrics and their significance in determining browser security. Explore which metrics are useful, their implications, and the impact on overall security measures. Dive deeper into identifying key factors that contribute to a secure browsing experience and the importance of staying informed about emerging threats and vulnerabilities.

• Browser Security
• Metrics
• Evaluation
• Web Browsers
• Cybersecurity

adyli Follow

Uploaded on Feb 28, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Web 2.0 Security & Privacy 2010 Mustafa Acer, Collin Jackson mustafa.acer@sv.cmu.edu, collin.jackson@sv.cmu.edu May 20, 2010

2. Which browser is more secure? Use metrics to evaluate browser security. But, which metrics to use? Are they meaningful? Are they useful? 2

3. 100% 90% 80% Firefox, 44 % Firefox, 45 % Firefox, 59 % 70% Firefox 60% IE Safari 50% IE, 12 % Chrome IE, 25 % 40% Opera 30% Safari, 25 % Others IE, 30 % Safari, 14 % 20% Chrome, 11 % 10% Chrome, 14 % Safari, 6 % Opera, 7 % Others, 4 % Opera, 2 % 0% Cenzic IBM Symantec Cenzic, Web application security trends report, Q3-Q4, 2009 IBM Security Solutions, X-Force 2009 trend and risk report Symantec, Internet security threat report, 2010 3

4. 100% 90% 80% Firefox, 44 % Firefox, 45 % Firefox, 59 % 70% Firefox 60% IE Safari 50% IE, 12 % Chrome IE, 25 % 40% Opera 30% Safari, 25 % Others IE, 30 % Safari, 14 % 20% Chrome, 11 % 10% Chrome, 14 % Safari, 6 % Opera, 7 % Others, 4 % Opera, 2 % 0% Cenzic IBM Symantec It is meaningless and actively harmful. 4

5. Ignore Patch Deployment Quickly deployed patches are not bad Discourage Disclosure Vendors avoid releasing known bugs Ignore Plug-ins Flash Player is installed in 99% of browsers. Only 20%* have latest versions. * Trusteer, Flash security hole advisory, August 2009 5

6. The percentage of users who have at least one unpatched critical or high severity vulnerability on an average day Critical:Attackers can run arbitrary code on user s system High: Attackers can access data belonging to other sites (e.g. circumventing cross origin policy) 6

7. Collecting browser & plug-in version data from users via ad networks (6000 data points/day) Calculating risk score for browser & plug-in combinations Firefox, Safari, Opera, Chrome Flash Player, Silverlight, Google Gears Live statistics at browserstats.appspot.com 7

8. 70 60 50 Cenzic 40 IBM Symantec 30 Our Evaluation 20 10 0 Firefox Safari Chrome Opera Vulnerability levels of browsers according to old metrics and our proposal. Notice how Safari, Chrome and Opera scores change. 8

9. Takes Account of Patch Deployment Fast updating browsers will receive better scores Encourages Disclosure Combining bugs into a single vulnerability doesn t improve score Includes Plug-ins Browsers that help their users update their plug-ins will receive better scores 9

10. 70 58 60 54 49 48 50 44 Risk Score (%) 38 40 Without Flash Player 30 30 With Flash Player 20 10 5 0 Chrome Firefox Opera Safari Average risk score of browsers with and without Adobe Flash Player over a forty day span 10

11. 70 58 60 54 49 48 50 44 Risk Score (%) 38 40 Without Flash Player 30 30 With Flash Player 20 10 5 0 Chrome Firefox Opera Safari Chrome risk score jumps from 5% to 30%. (30% of Chrome versions on the web are vulnerable) 11

12. Current browser security metrics are harmful. They discourage disclosure, discourage frequent updating, ignore plug-ins. We propose a new metric:Risk Score. It encourages disclosure, frequent updating and browser & plug-in vendors to work together. Vendors need to choose between the following: Do not disclose vulnerabilities and hope for them not to be discovered. Disclose them, patch them and encourage users to update frequently. 12

13. Thank you browserstats.appspot.com 13