Every day we use web-browsers, but we don’t take into consideration that not only social media, cloud and e-mail services collect users’ data and send them to companies. These services are often vulnerable to attacks or data leaks. Web-browsers may be hacked as well. That is why, it is so important to understand what security measures and privacy policies popular apps use. The Analytical department of Falcongaze has observed 4 of the most popular web-browsers.
Chrome has several modes: basic browser mode, sync Chrome mode, and incognito/guest mode.
When in basic mode, browser stores URL of visited pages, cash-files, cookie files, list of IP-addresses. Chrome also stores users’ data, passwords, and download info. But it provides an opportunity to clear the history of visited pages, remove stored data, and ban receiving cookies. Google receives private and finance data in case a user stores their data in Google account which is synchronized with Chrome.
Chrome also sends web-forms information, structure of that form, and hashed URL to Google.
Google informs if it is discovered in Chrome that a user became a victim of an attack. A notification will be sent to a company or an owner of an affected web-site.
The sync mode means that Chrome is synchronized with your Google account. In sync mode, data are stored on company’s servers. Web-page browsing history, bookmarks, tabs, passwords are also synchronized.
It is possible to limit information that Chrome stores on user’s computer when incognito/guest mode is on. When in this mode, browsing history, pages URL, hashed texts, IP-addresses of visited web-sites, and download records are not stored. This mode limits web-sites’ access to cookie-files.
Chrome provides with a function of Safe Browsing Practices. Google has a constantly updating list of affected web-sites. The browser consults the list in order to notify a user in case they visit a site with suspicious activity. The copy of this list is stored in a user’s system.
Chrome scans not only web-pages, but also a user’s computer for presence of fraudulent software. If it is discovered, the browser will offer a user to download the Chrome Cleanup Tool to remove it.
By the way, extensions and other services might send user’s data to Google servers or their owners’ servers. These data often include information about user’s device, content they observe, and more.
Despite the fact that Google always enhances its product, breaches still happen. In the end of 2019, Chrome’s tool for logins and passwords protection became the reason of the leak. The Indian users’ data were compromised.
In August of the same year, the company discovered the hundreds of thousands of users’ data leak. Google said, that it notified users immediately and asked to change passwords. But only 26% of them followed the instructions.
Nevertheless, in November of 2020, the company released a new Chrome version. It had 10 vulnerabilities removed.
Microsoft Edge is based on Chromium source code. But the company continues enhancing its product. Microsoft says that Edge is more secure for Windows 10 than Google Chrome.
Edge has built-in security SmartScreen which blocks phishing and other types of attacks. The company underlines that SmartScreen is better at preventing fraudulent activity than Google Chrome. While a user is online, the browser checks visited web-sites and downloads. Microsoft informs that SmartScreen prevents 95,5% of phishing attacks and 98,5% of malware attacks when Chrome deals with 86,9% and 86,0% of attempts accordingly.
As Microsoft says, Edge is the only browser that maintains hardware isolation. Untrusted sites are run in a kernel isolated from a local device and internal networks. They work in the so-called “container”. In case of an attack, untrusted sites will not have access to a network and users’ devices.
Microsoft also informs that Edge is the only browser that supports:
What concerns privacy policies, the company underlines that it collects only those data that are necessary for service providing and analysis.
There is a function called InPrivate (guest mode). When a user switches off a guest mode, Edge removes download history, cookie files, and other data. Passwords are not stored in guest mode. InPrivate is not synchronized with Microsoft account. But Microsoft informs that when InPrivate is on, there is no protection against fraudulent web-sites and no ad-blocking.
When a company releases a new product, it has two ways of spreading it: to announce the release and let users decide whether to try the app or not, or to deploy the app by force. In June 2020, Microsoft chose the second way of spreading Edge. Moreover, Microsoft left users the message trying to convince them to exchange Chrome for Edge. The app was installed even on Windows 7 and 8 which are not supported anymore.
Since May 2020, different web-browsers including Edge were attacked by fraudulent actors. They deployed attachments and changed users’ configurations. The attachments were to place unsecure links with advertisements on search pages. The hackers benefited from online traffic on web-sites.
Opera
Opera has the following security measures:
However, in 2016, a Polish researcher figured out that Opera’s VPN is nothing else but preconfigured HTTP/S proxy in reality. The company confirmed, “Our VPN is something we call a browser VPN. Under the hood it works by routing all the browser traffic properly encrypted via our secure proxies in various parts of the world.”
Yahoo considers Opera to be the most innovative web-browser in 2020. According to Yahoo, Opera combines the best features of Firefox and Chrome.
During previous years, Opera wasn’t involved in leaks or breaches directly. But there was an incident related to Google extensions that could be used in the Opera browser. In 2019, some extensions collected users’ sensitive information. Also, in 2019, password manager LastPass had a vulnerability that allowed stealing users’ credentials from Opera and Google Chrome.
Firefox
In 2019, German Federal Office for Information Security checked web-browsers for compliance to security standard. The results showed that Mozilla Firefox is the only browser which meets all demands of this standard. Firefox is equipped with the following security measures:
In the beginning of 2020, Mozilla blocked 197 fraudulent extensions for a browser. They collected users’ data and used an obfuscation to hide source code. The hackers uploaded them using a remote server – that is contrary to the Mozilla’s rules.
Also, since 2020, the extensions developers must use 2FA so that hackers cannot take control over them.
We tried to provide you with the objective information about the most popular web-browsers’ security measures and privacy policies. Be informed of them in order not to get into trouble later.