Chrome, I hope we can still be friends (Chrome vs Firefox security issues)

Chrome, I hope we can still be friends (Chrome vs Firefox security issues)

Henry Dalziel | Concise Courses, General Hacking Posts, Hacker Hotshots, Product Reviews | September 15, 2013

Quick overview of this post: Chrome is a safer browser (skip to the bottom of the post for more on that) but due to nostalgia, we will always be faithful to Firefox. Sorry Chrome.

My Internet browser is an extension of me. We (and Concise Courses would like to speak on your behalf) spend way more time looking at our browsers that we do our wives, husbands, partners, friends, pet Iguana’s etc. Whilst researching this post we discovered that on average, in the USA, we each spend 27 hours a week online. Obviously this depends on our professions: clearly a beekeeper or a chicken farmer in North Dakota is likely to spend less time online than a hacker in a basement or a information security professional conducting a black box pentest. Anyways, chances are, that even if you are staring at a terminal or a command line, you’ll also have a browser open, and personally speaking, my preferred is still Firefox. Always has been, always will be.

Why Firefox became so popular
The primary reason why Firefox did so well was because of their creation of ‘Addons’ which have made our life easier. Just as much as ‘there’s an app for that’ – a strap line that Apple marketing kept telling us, so there is an ‘AddOn’ for Firefox. Sure, other browsers allow AddOn’s, but Firefox pioneered it. (Side note, you might be interested in our “World’s Best 50 Firefox Pentesting AddOns” blog post). A later development of the customization of the browser was ‘Firefox Personas’, which was released in 2010; allowing users to change Firefox’s appearance with a single click.

Internet Explorer has always been a web developers nightmare. Code (HTML/5, JavaScript etc) that works on every other browser often failed in IE, at least with versions below 10. IE 6 was a notorious (and lets cut the crap – terrible) browser and an old web developers wife’s tale best sums it up: “code using Firefox, test in IE”. So, in summary, one of the reasons people flocked to Firefox must have been due to the inherent inefficiencies of Internet Explorer.

When Firefox first hit the scene it was a cooler (and open-source) project that rebelled against a poorly-built browser that Windows users were ‘forced’ to use. No-one likes being told or forced what to use – especially when we have choices, and with Microsoft’s decision to bundle IE with their operating systems, the opportunity for other browsers to gain market share became apparent. The “Browser Wars” of the mid-1990’s was essentially caused by Microsoft Windows, with 90% share of the desktop operating system market, insisting on Internet Explorer being included with every copy of Windows. Clearly this was an uncompetitive advantage and legal cases followed.

The main difference between Chrome and Firefox (as at September 2013): CPU Cores!
Chrome allows for multi-process architecture if you have a multi-core CPU. Chrome does manage efficiency better than Firefox since it places processes within their own cores. What that really means is that Chrome can do many things at once and the interface should never lag as pages, for example, load in the background.

Firefox on the other hand uses single-process architecture, so for example, if you open six browser tabs, the main Firefox processor has to load and render them individually as well as control the interface. As a result Firefox can crash more often and can lag a little bit more.

Firefox Doesn’t Use a Security Sandbox
Chrome and Internet Explorer have both implemented a feature called “low integrity mode” or “protected mode” to run browser processes with as few user permissions as possible. If a browser vulnerability, or XSS attack for example, was discovered and exploited in Chrome or IE, the exploiter would also have to use some sort of additional vulnerability or unpatched hole to escape the security sandbox and get root access to the operating system. This is clearly the most glaring security problem for Firefox.

Nostalgia kicks-in
We can’t help it though. We still love Firefox and will continue to do so, possibly due to the nostalgia of the product. Our security measures are to use AddOns like “HTTPS Everywhere” developed by the EFF, and the NoScript Blocker which does a great job at eliminating XSS and CSRF attacks and other JavaScript nasties.

In summary
Which is your favorite browser and why? We only just scratched the surface but please chime in if you can see a major security difference between the browsers. Also, it’s worth mentioning here an excellent Hacker Hotshot web show we had last year titled: “Zombie Browsers Spiced With Rootkit Extensions” with Zoltan Balazs. Zoltan answered questions like: “Which is the safest browser on the market in your opinion, and is there is one thing that we can do protect our browsers from being hijacked? ” which you can learn more about on that page.

  • Mr James

    Being far from a fan of Google my advise it to stick with Chrome and here is why.

    I have well gone off Firefox after finding that the android version without any plugins is listening in to DLNA broacast messages from devices like XBoxes and Samsung Smart TVs and then making a UPNP request to the devices to recive XML data back from these devices.

    In my case this not only includes the make and model of the TV but also the serial number and its not like my simple android device can stream to the TV or play XBox games.

    I know Google pays Firefox $50m a year and they don’t do that without getting something in return as you can see if you type About:config into the URL and search for Google but I will not put up with Firefox hacking my local area network to then upload all the device data back to central server.

    Shown below is both the request and reply I captured with some of the data replaced using XXX and I also had to tweak the HTML tags in the XML so it would post.

    GET /smp_24_ hxxp/1.1
    Host: X.X.X.40:7676
    User-Agent: Mozilla/5.0 (Android; Tablet; rv:36.0) Gecko/36.0 Firefox/36.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive

    hxxp/1.1 200 OK
    CONTENT-TYPE: text/xml; charset=”utf-8″
    Date: Thu, 01 Jan 1970 03:59:18 GMT
    connection: close
    Application-URL: hxxp://X.XX.40:80/ws/app/
    SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0

    [?xml version=”1.0″?][root xmlns=’urn:schemas-upnp-org:device-1-0′ xmlns:sec=’hxxp://’ xmlns:dlna=’urn:schemas-dlna-org:device-1-0′] [specVersion] [major]1[/major] [minor]0[/minor] [/specVersion] [device] [deviceType]urn:dial-multiscreen-org:device:dialreceiver:1[/deviceType] [friendlyName][TV]Samsung50[/friendlyName] [manufacturer]Samsung Electronics[/manufacturer] [manufacturerURL]hxxp://[/manufacturerURL] [modelDescription]Samsung TV NS[/modelDescription] [modelName]XXX9200[/modelName] [modelNumber]1.0[/modelNumber] [modelURL]hxxp://[/modelURL] [serialNumber]XXXXXXXXXX[/serialNumber] [UDN]uuid:0dbXXXXXXXXXXXX[/UDN] [sec:deviceID]XXXXXXOMKVUK[/sec:deviceID] [sec:ProductCap]Resolution:1280X720,Y2013[/sec:ProductCap] [serviceList] [service] [serviceType]urn:dial-multiscreen-org:service:dial:1[/serviceType] [serviceId]urn:dial-multiscreen-org:serviceId:dial[/serviceId] [controlURL]/smp_26_[/controlURL] [eventSubURL]/smp_27_[/eventSubURL] [SCPDURL]/smp_25_[/SCPDURL] [/service] [/serviceList] [/device][/root]

Leave a comment or reply below...thanks!