Hacker News new | past | comments | ask | show | jobs | submit login
Chrome only browser left standing after day one of Pwn2Own (arstechnica.com)
36 points by jlhamilton on March 20, 2009 | hide | past | favorite | 15 comments



On the other hand, Chrome is the browser security researchers know the least about; it's not an apples-to-apples comparison, yet.


There are a couple other points, though:

- Chrome is only available for Windows ATM. Windows boxes are apparently more difficult to crack than Macs.

- Chrome runs in a sandbox, unlike IE or Safari, which adds some security as well.


Chrome sandboxing doesn't rely on things like address space randomization and NX, so the Mac vs. Win32 different --- while probably still present --- may be less pronounced.


Comparing mobile browsers they ignored Opera - the most common mobile browser and the most secure.


I have no idea why you think Opera is the most secure mobile browser.


Do you think it's more common than safari on iphone? Do you have any way to verify that?


Opera Mobile has significantly more installs than Mobile Safari, but Safari probably has greater market share in terms of mobile visits (because iPhone users use Safari quite a bit).

As for numbers, Opera says there are more than 120m installations of Opera Mobile:

http://www.opera.com/mobile/

They have another product, for less powerful phones (it does rendering via a proxy actually) that has 20 million users. Since the requests are all proxies, Opera knows how many people use this product:

http://www.opera.com/mini/


Safari Mobile is also on every ipod touch. giving it an even wider user base.


>> "after day one"

Isn't this all a big theatre type thing anyway? Aren't exploits prepared well in advance anyway?

It'd be a more interesting competition if the competitors were given never before seen new versions of browsers, and asked to crack them on the spot.


Since the rules change (i.e. become easier) each day, the day number gives you some indication of the relative difficulty in performing the exploit, even though the exploits themselves are prepared in advance:

http://cansecwest.com/post/2009-03-18-01:00:00.PWN2OWN_Final...


Guessing this is a symptom of: Tiny market share Radically different approach to security (heavy sandboxing, multi-process)

We don't yet know if Chrome is actually more secure.


I'd bet that it is. I can't think of a fair way to adjudicate that, though.


As soon as all extensions are ported there is no reason not to use Chrome.


"Windows, on the other hand, he claims is tougher because of its address randomization feature and other security measures. As for Chrome, he says that he has identified a security bug in Google's browser but has been unable to exploit it because the browser's sandboxing feature and the operating system's security"

Sounds like Chrome was saved by not having a version for the extremely vulnerable Mac. Security by obscurity is no security at all.


Isn't address randomization a form of security by obscurity?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: