Coke or Pepsi, Chevy or Ford, Mossberg or Remington, it seems that a defining characteristic of human nature in capitalistic societies is the magnetization to certain product brands with such a fervor and veracity that the brand borderlines on a building block of identity for many individuals. Internet browsing is no different, as millions of people every day decide which browser best fits their personality and preferences.
While the market share of browsers can be calculated in many different ways, IE has historically held onto a strong market share, no doubt a result of said web client being installed on every Windows system. However, bluntly, people don’t like being told what to do or what browser to use and as a result studies show that the top alternatives to IE are Mozilla Firefox and Google Chrome. Both browsers have a loyal base of advocates for each respected brand and in this article we will explore the market share, areas of differentiation and the degree of security one should expect from an internet browser.
When Firefox first hit the scene in 2004 it was received by consumers with open arms, reaching 10 million downloads in the first ten days[1]. Rather than being forced to use a sub-par IE of the time, internet users had the option to migrate to a sleek open source alternative. A rival product to IE had been born out of the Browser wars of the 1990’s and a year after Firefox 1.0 was released the company boasted 100 million downloads, support for 31 different languages and a second place for browser market share[2]. Chipping away at a monopoly of the time and accelerated growth are just two high level reasons as to why Mozilla was able to attract such a fanatic following, but the new car smell would be short lived as Mozilla saw their newly gained ground in market share jeopardized in 2008 with the emergence of Google Chrome and the establishment of new standards for speed and performance.
Fast-forward to 2014 and there are a number of competitors in this space, there are also a number of different methodologies to calculate the market share. For the purposes of this post I will rely on reports provided by the good people at NetMarketShare whose data is sourced from Net Applications. Using this data set we can see that, historically, Firefox has enjoyed a slightly larger margin of the market share than Google Chrome, however for the first time we have seen a change in pecking order as Chrome surpassed Firefox in early 2014.
There are a number of reasons which can explain this shift, but a primary area of differentiation is while Firefox’s privacy options make them attractive to the causal internet surfer, it lacks the security benefits that Chrome extends to its end users.
For those who do not follow hacking contests in Western Canada, Pwn2Own is a yearly event held at the CanSecWest Security Conference; contestants are challenged to exploit widely used software and mobile devices with previous unknown vulnerabilities. This year was not kind to Mozilla’s Firefox as it was the clear winner of the least secure browser, with four zero-day vulnerabilities[3]. It should be noted that one zero day was also found in Google Chrome but this contest historically has not been kind to Firefox. Given the amount of data available to the public in this digital era there is no reason that one test should be the end all be all, however additional testing by NSS Labs show that Chrome leads Firefox by a significant margin in defense against socially engineered malware, or SEMs.
NSS Labs defines SEMs as websites that look benign, but trick viewers into clicking on a link that downloads malware. Using 657 samples of SEMs captured over a two week period, NSS compared different browsers' abilities to effectively serve as the frontline of defense against these types of attacks. The results were certainly not flattering to Firefox, which logged a 4% block rate, compared to nearly 71% for Google Chrome[4].
An even more alarming statistic from this study deals with Zero-Hour Protection, and once again the results are not favorable to Firefox. In this portion of the study NSS looked at the average time taken by various browser providers to block new SEM. IE led the way with an average of 5 minutes, Chrome came in second at just under 4 hours while Firefox and Safari were the only browsers to take longer than a day, on average[5].
While these particular statistics are troubling for Firefox, it certainly does not mean that Mozilla’s web client is completely devoid of security features; for example other studies by the same lab have found Firefox to be superior to Chrome in defense against phishing attacks[6]. Firefox’s security deficiencies are often seen as stemming from the lack of sandboxing within the browser that is found in browsers such as Chrome and Safari. However, it would seem that 2015 is poised to be a huge year for Firefox, perhaps just the year needed to reclaim the lost ground to Chrome.
In a move dubbed as Yahoo’s “most significant partnership in five years” by Yahoo’s CEO Marissa Mayer, Firefox has ended a 10 year run of having Google as the browser's default search engine and moved to Yahoo[7]. The change allows Firefox to move away from the Google umbrella, redefine the brand and perhaps most importantly to their user base, Yahoo will support Firefox’s Do No Track technology, meaning end users' preference to not be tracked for advertising will be respected. This is only the beginning for Firefox; after years of dismissing the possibility of Firefox for iOS, the company has announced first steps towards this compatibility[8]. How this will actually come to fruition is still unclear (traditionally Apple has been very restrictive as to adding third-party browsers to their platform), but regardless these are just a few of the moves that are ensure to excite the fan base in the new year.
Currently, the debate between Firefox vs Chrome can also be viewed as conversation of privacy vs security; both service providers offer a product with attractive features, customization and add-ons to enhance the user experience. For internet browsers who remain loyal to Firefox there are several third party applications that can be added to the web client to beef up security, and it would appear Firefox is in the early stages of building Sandbox technology into their product[9]. Regardless of what browser you prefer, there is no clear cut bullet proof browser when it comes to protection against malicious agents. NSS reports browsers historically have only provided a detection rate of 80%[10], and the reality is at some point it is up to the individual or corporate entity to educate about how to avoid social engineered malware attacks.
Beyond education, one suggested best practice is layered detection security, and using the Metascan Online add-on for either Chrome or Firefox individuals and companies can dramatically enhance their level of security, scanning all downloads with 40+ malware engines. The value of these add-ons is increased detection for known threats by using a larger definition library, and a combination of heuristic algorithms to detect unknown threats. Given the mass volume of malware created on a daily basis, it is becoming harder and harder for a single AV vendor to react to the evolving landscape. A multi-scanning approach allows clients to scan files with AV engines whose origins are all over the world. In conclusion, even with Chrome’s added security features, no browser or single technology can provide 100% detection against malware, and thus every day corporate users should look to bolster defenses in many areas; introducing additional scanning to any all download files in your environment is a great place to start.
References
[1] Gsurface, (2005 March 2005). The History of Mozilla Firefox: From Phoenix, to Firebird, to Firefox
[4] Abrams, Randy, Jayendra Pathak, and Orlando Barrera. "BROWSER SECURITY COMPARATIVE ANALYSIS." BROWSER SECURITY COMPARATIVE ANALYSIS: Socially Engineered Malware Blocking (n.d.): n. pag. NSS Labs. NSS Labs, 31 Mar. 2014.