It's not about the browser, stupid!

security figures on keyboard

COMMENT:When considering the security of your data how big a part does your choice of web browser client make?

Even typing that question sent something of a shiver down my spine, in a 'I hope nobody can see me asking that' kind of a way. Although some browser clients may be notionally 'more secure' than others, when talking about the mainstream choices none are actually safe nor unsafe, truth be told.

It's a bit like the guns don't kill people argument, although I've never heard of a web browser killing anyone (but Internet Explorer has driven me to suicidal thoughts in the past) the point is that people kill people and people use web browsers in an insecure manner.

A browser with hardly any market share is also going to have hardly any hacker interest in it but it won't save you from stupidity.

That's precisely why I was a little disappointed to discover there has been yet another study into web browser security published, the results of which appear to be at odds with another recent study into the same thing.

One report says that Google Chrome is the safest browser you can use, the other that Internet Explorer 9.0 is the most secure. I will ignore the small matter of Google being the sponsor of the study it ended up winning as, like I already said, it really doesn't matter to me anyway and nor should it to you.

It does, however, seem to matter to the director of security strategy at one large vendor who insisted on

explaining in great detail via email how web browsers are like cars. I will spare you the full argument, but the abridged version encompasses Maslow's Law of Hierarchical Needs whereby cars (and ultimately web browsers also) start their lifecycle competing on basic functionality alone, then move into additional features and efficiencies. The point being that just as when comparing the safety features of cars (is ASB 'safer' than air bags, for example) how do you determine if a browser with a sandbox is safer than one with an anti-XSS filter?

His conclusion being that the answer depends upon the crash test criteria and how the scores are weighted.

Why did he tell me all this? Because one browser security study primarily focussed on malware blocking while the other took the view that URL or application reputation were not that important. Hence the two different end results. Bananarama and the Fun Boy Three summed up online security pretty nicely when they sang it ain't what you do it's the way that you do it.

Visiting dodgy download and sharing sites, clicking links indiscriminately, believing everything anyone who emails you says will get you and quite possibly your enterprise in trouble no matter what browser you are using. Sure, a browser with hardly any market share is also going to have hardly any hacker interest in it but it won't save you from stupidity.

So invest in user education and decent endpoint security protection if you want to protect your data, and forget about how secure or insecure your browser is. It really doesn't make much difference anymore.

Unless you are still using Internet Explorer 6 that is, in which case I retract everything I have said up to this point and would like to replace it with a great big WHAT ARE YOU THINKING?

Yes, I know that there are still bespoke applications within the enterprise which use IE6 and which work perfectly well, but that doesn't make them perfectly safe unless they are totally sandboxed from the internet and the rest of your network. Even Microsoft is pleading with businesses big and small to follow the consumer lead and drop the buggy, unpatched, unsupported, full of holes pile of web browsing poop that is IE 6. I grant you Microsoft didn't use those exact words but I think that's what it meant...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.