Overview of popular web-browsers’ security measures
03.03.2021
Every day we use web-browsers, but we don’t take into consideration that not only social media, cloud and e-mail services collect users’ data and send them to companies. These services are often vulnerable to attacks or data leaks. Web-browsers may be hacked as well. That is why, it is so important to understand what security measures and privacy policies popular apps use. The Analytical department of Falcongaze has observed 4 of the most popular web-browsers.
- Chrome
Chrome has several modes: basic browser mode, sync Chrome mode, and incognito/guest mode.
When in basic mode, browser stores URL of visited pages, cash-files, cookie files, list of IP-addresses. Chrome also stores users’ data, passwords, and download info. But it provides an opportunity to clear the history of visited pages, remove stored data, and ban receiving cookies. Google receives private and finance data in case a user stores their data in Google account which is synchronized with Chrome.
Chrome also sends web-forms information, structure of that form, and hashed URL to Google.
Google informs if it is discovered in Chrome that a user became a victim of an attack. A notification will be sent to a company or an owner of an affected web-site.
The sync mode means that Chrome is synchronized with your Google account. In sync mode, data are stored on company’s servers. Web-page browsing history, bookmarks, tabs, passwords are also synchronized.
It is possible to limit information that Chrome stores on user’s computer when incognito/guest mode is on. When in this mode, browsing history, pages URL, hashed texts, IP-addresses of visited web-sites, and download records are not stored. This mode limits web-sites’ access to cookie-files.
Chrome provides with a function of Safe Browsing Practices. Google has a constantly updating list of affected web-sites. The browser consults the list in order to notify a user in case they visit a site with suspicious activity. The copy of this list is stored in a user’s system.
Chrome scans not only web-pages, but also a user’s computer for presence of fraudulent software. If it is discovered, the browser will offer a user to download the Chrome Cleanup Tool to remove it.
By the way, extensions and other services might send user’s data to Google servers or their owners’ servers. These data often include information about user’s device, content they observe, and more.
Despite the fact that Google always enhances its product, breaches still happen. In the end of 2019, Chrome’s tool for logins and passwords protection became the reason of the leak. The Indian users’ data were compromised.
In August of the same year, the company discovered the hundreds of thousands of users’ data leak. Google said, that it notified users immediately and asked to change passwords. But only 26% of them followed the instructions.
Nevertheless, in November of 2020, the company released a new Chrome version. It had 10 vulnerabilities removed.
- Microsoft Edge
Microsoft Edge is based on Chromium source code. But the company continues enhancing its product. Microsoft says that Edge is more secure for Windows 10 than Google Chrome.
Edge has built-in security SmartScreen which blocks phishing and other types of attacks. The company underlines that SmartScreen is better at preventing fraudulent activity than Google Chrome. While a user is online, the browser checks visited web-sites and downloads. Microsoft informs that SmartScreen prevents 95,5% of phishing attacks and 98,5% of malware attacks when Chrome deals with 86,9% and 86,0% of attempts accordingly.
As Microsoft says, Edge is the only browser that maintains hardware isolation. Untrusted sites are run in a kernel isolated from a local device and internal networks. They work in the so-called “container”. In case of an attack, untrusted sites will not have access to a network and users’ devices.
Microsoft also informs that Edge is the only browser that supports:
- Azure AD Conditional Access – a tool used by Azure Active Directory to bring signals together, make decisions, and enforce policy decisions.
- Windows Information Protection – a tool that provides protection for corporate data in order to prevent accidental leaks on Windows 10. It safeguards clipboard, encrypts files while downloading, and prevents file uploads to unauthorized web-sites or cloud services.
- Microsoft Endpoint Data Loss Prevention – a tool that notifies Edge users about unusual activity and minimizes risk of data loss while a user is online. It searches and marks company’s sensitive data. Such data usually contains financial cards details, finance data etc.
What concerns privacy policies, the company underlines that it collects only those data that are necessary for service providing and analysis.
There is a function called InPrivate (guest mode). When a user switches off a guest mode, Edge removes download history, cookie files, and other data. Passwords are not stored in guest mode. InPrivate is not synchronized with Microsoft account. But Microsoft informs that when InPrivate is on, there is no protection against fraudulent web-sites and no ad-blocking.
When a company releases a new product, it has two ways of spreading it: to announce the release and let users decide whether to try the app or not, or to deploy the app by force. In June 2020, Microsoft chose the second way of spreading Edge. Moreover, Microsoft left users the message trying to convince them to exchange Chrome for Edge. The app was installed even on Windows 7 and 8 which are not supported anymore.
Since May 2020, different web-browsers including Edge were attacked by fraudulent actors. They deployed attachments and changed users’ configurations. The attachments were to place unsecure links with advertisements on search pages. The hackers benefited from online traffic on web-sites.
Opera
Opera has the following security measures:
- Ad blocking tool. It blocks cookie-files tracking and provides cryptocurrency mining protection. When ad blocker is on, a sign of crossed shield will appear in address bar.
- Built-in free VPN. It prevents user’s real location tracking by substituting it for a server’s location. Due to VPN, the connection with browser is encrypted. The encryption is 256-bit. Opera informs that it doesn’t store the information about user’s activity when they use VPN.
However, in 2016, a Polish researcher figured out that Opera’s VPN is nothing else but preconfigured HTTP/S proxy in reality. The company confirmed, “Our VPN is something we call a browser VPN. Under the hood it works by routing all the browser traffic properly encrypted via our secure proxies in various parts of the world.”
- Security badges. If a web-site is secure, a special sign (a green lock) will appear in address bar. Click on it to see certificate details.
- DNT: 1. If a user doesn’t want a site to track their behavior, Opera can send an additional header with request “DNT: 1”. It means that a user doesn’t want to be tracked. But it is up to a web-site owner to decide whether to follow the request or not.
Yahoo considers Opera to be the most innovative web-browser in 2020. According to Yahoo, Opera combines the best features of Firefox and Chrome.
During previous years, Opera wasn’t involved in leaks or breaches directly. But there was an incident related to Google extensions that could be used in the Opera browser. In 2019, some extensions collected users’ sensitive information. Also, in 2019, password manager LastPass had a vulnerability that allowed stealing users’ credentials from Opera and Google Chrome.
Firefox
In 2019, German Federal Office for Information Security checked web-browsers for compliance to security standard. The results showed that Mozilla Firefox is the only browser which meets all demands of this standard. Firefox is equipped with the following security measures:
- Enhanced Tracking Protection. Firefox blocks social media trackers, cross-site cookies, cryptominers, content tracking, and fingerprints. A purple shield shows that Firefox is blocking something on the site. Click on it to learn more.
- Built-in Phishing and Malware Protection. Firefox warns if a web-site can affect a user’s device. The same concerns download files.
- Lockwise. It is a tool that protects user’s passwords saved in Firefox. When accessing passwords, Lockwise asks for authentication (password, voice, face or fingerprint).
- Insecure password warning. The browser will inform a user in case a web-site doesn’t use secure connection. It will be showed as a crossed lock in address bar. A warning message will also appear in an input field. Before filling the field, Mozilla recommends checking whether there is a secure page of that web-site. Just put https:// before site’s name in address bar. If there is no secure page but you need to fill the field, then use unique credentials that you don’t use somewhere else.
In the beginning of 2020, Mozilla blocked 197 fraudulent extensions for a browser. They collected users’ data and used an obfuscation to hide source code. The hackers uploaded them using a remote server – that is contrary to the Mozilla’s rules.
Also, since 2020, the extensions developers must use 2FA so that hackers cannot take control over them.
We tried to provide you with the objective information about the most popular web-browsers’ security measures and privacy policies. Be informed of them in order not to get into trouble later.