Security practitioners constantly hear some variant of the question, “what is the most secure web browser?”
Any time there is a major vulnerability discovered in one of the major Web browsers, people start scrambling to find something safer. However, doing so is a fool’s errand. In our efforts to flee to better security, we are simply careening from insecurity to insecurity.
Secunia’s 2015 vulnerability report showed that in 2014 alone there were over 249 significant security patches to Internet Explorer and over 504 patches to Chrome. That is more than one security patch per day for Chrome. Firefox and Safari are no better; their patch reporting just makes it harder to count security patches from others.
While all software has bugs, Web browsers have unique characteristics that make them the source of over 90 percent of undetected malware, according to Palo Alto Networks’ March 2013, The Modern Malware Review. In fact, of all applications, the five most vulnerable are either browsers or browser plugins. Although one browser might be slightly more secure than another at any given moment, they all represent a gigantic security gap.
The reality is there is no such thing as a secure web browser. To understand how we can make the web safe for users, we first need to understand why browser security has proven to be impossible — only then can we start to consider strategies that can make it safe again.