[quotheth]

There is no universal metric for security.

What I will say is that Edge and Firefox are doing an excellent job - I'm really impressed. Chrome is still the safest browser today, in my opinion.

Site isolation, which was released recently, is a really great example of how far ahead they are - site isolation is at least 3, maybe 4 years in the making. That's serious work.

They have had an excellent bounty program. They have project 0 doing advanced offensive research, much of which has been relevant to browsers.

They fuzz a ton and have managed to solicit others to do the same (not that other browsers don't/ haven't).

Their sandbox is incredible and constantly evolving. They basically invented seccomp v2 just to improve their sandboxing stature on linux. They implemented 'forceaslr' before EMET was even a thing to help prevent info leaks from third party libs.

Their new kernel32.dll unloading mitigation is awesome, and as far as I know the first instance of such a thing.

I could really go on and on, I'm sure - they have taken incredible proactive measures and they're just getting better at it.

We can see similar growth in Edge, which has had a sandbox for years. Firefox has more recently gotten a sandbox and the move to rust is encouraging.

But... yeah, in my opinion, Chrome takes the cake.

[eridius]

> Site isolation, which was released recently, is a really great example of how far ahead they are - site isolation is at least 3, maybe 4 years in the making. That's serious work.

I just searched for chrome site isolation and found https://chromeunboxed.com/news/chrome-63-site-isolation-exte.... And from this description the only particularly interesting thing is multiple domains within a single tab get multiple processes, but that doesn't sound all that different from how you get multiple processes per tab if the tab uses browser plugins. What makes this 3 or 4 years in the making?

Also it's disabled by default because of RAM usage.

[quotheth]

Yep, it's disabled by default. It is a great indicator of the forward thinking work they do, though. And from a corp perspective we can push out policies to enable site isolation for high risk websites (SSO).

"The only interesting thing" is a bit disparaging haha that's kind of a big deal. It means that third party iframes, as one example, run in a separate process. It breaks the case where I am evil.com, and you are okta.com, and there is a way for me to leak data within a process (or exploit the process), I can read okta.com's data.

With site isolation is this made considerably more difficult.

[pcwalton]

Note that Site Isolation isn't on by default, and I still don't know what they're going to do about sites that contain hundreds of cross-domain iframes.

[quotheth]

My point with site isolation was more their continued effort to push interesting, compelling security improvements. Currently, from a corp perspective, enabling site isolation for internal high security websites (SSO pages etc) is possible with GPO and a big win imo.

Please don't take it the wrong way, I think Firefox is awesome too :)

[pjmlp]

If that helps killing ads and analytics, I don't care 1 second.

[WalterGR]

There is no universal metric for security.

What about slashdot-style raw counts of vulnerabilities? As Microsoft got their security more together, it seems like that measure has fallen out of favor.

I am frequently astounded by how many vulnerabilities Firefox point releases address, but I don't know the stats.

[geofft]

That gives actively misleading information in two cases: if two vendors have different standards for vulnerabilities (e.g., is a tab crash a DoS or just a thing that happens sometimes) and if one vendor is more active at actually looking to find vulnerabilities (or incentivizing others to do so) than another. Both of those problems, inverted, make the metric easily gameable in awful ways: you're encouraging vendors to have a high bar for what counts as a security bug and you're encouraging them not to look.

A little more fundamentally, vulnerability counts don't provide a great measure of security architecture: whether defense-in-depth and least privilege are good at mitigating the impact of bugs. If, say, you have a JS PNG decoder and once a year someone finds a way for a malicious PNG to run arbitrary JS within the usual web JS sandbox, that's probably way better than having an unsandboxed native-code PNG decoder and once every three years someone finds a way for a malicious PNG to run arbitrary code on the host. (Maybe you can do something involving weighting vulnerabilities by CVSS score or something.)

[quotheth]

Vulnerability counting is never a metric for security when comparing counts across products.

It's very helpful for counting within a product.

One simple example - A and B are browsers. A has a bounty program that they invest millions into, B does not.

A gets 100 vulnerability reports a month, B gets 5.

Is B safer?

No.

However, let's say we just look at A. It gets 100 a month, and then a new feature is added - suddenly it's 200 a month, and the vulns tend to be in the new codebase. That's interesting information for A - it has nothing to do with B.