Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In the security industry it's commonly known Chrome has the best security, this partly due to the amount of money Google invests in finding vulnerabilities (via fuzzing) in Chrome.

For "proof", you can check how much exploit vendors pay for exploits for each browser. For example Zerodium offer:

* $500k for Chrome RCE

* $100k for Safari RCE

* $100k for Firefox RCE

https://zerodium.com/program.html

The higher amount would generally indicate its harder to get an RCE in Chrome.



The higher amount would generally indicate its harder to get an RCE in Chrome

That does not follow at all. Chrome has the highest market share and so an exploit would have the greatest impact potential. More users affected => more economic value for an exploit.


Market share has a factor, but its not always the commanding factor.

Take a look at https://zerodium.com/program.html

Apache and Nginx have a very similar market share. Nginx has higher share in top 10k websites, Apache has slightly higher share overall.

Yet Apache has over double the price as nginx exploits:

* Apache RCE 500k

* Nginx RCE 200k


If they both have similar market share, then that variable has been isolated and the conclusion that the cheaper exploit is the less secure is sound. When that variable has not been isolated, it's not possible to conclude that the difference in price is due to security and not due to the exploit affecting more people.

"The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc)."

So, if chrome, with ~65% of the market share had the same payout as firefox at ~4% of the market share, it would be fair to conclude it's less secure. However, we see 5x the payout and 16x the market share. Doesn't seem conclusive.


Or perhaps that Chrome exploits are more useful?

In fact, given Firefox's tiny market share (despite my efforts) I'm surprised the disparity isn't higher. Maybe it's harder to find Firefox exploits?

It's more likely that more popular browsers equally have more people attempting to crack them; and software in general is so buggy that results probably scale in proportion to the number of people looking.


Thats a valid point if we're referring to relatively unknown browsers. But the main three browsers are all high profile enough that they all have significant eyes on them and are thoroughly tested.

Firefox may have a small market share, but exploits for Firefox may even have more value to some entities/governments, due to its use in Tor Browser.

To clear any confusion, all three are extremely secure in comparison to other types of products (which is why exploits are so expensive), however Chrome just edges ahead, due to its sandboxing, and rapid patch cycle.


Chrome has about 70 percent market share and this higher amount may accounts for that.


Well in the US[0] it's

Chrome 46.17% Safari 37.83% Firefox 3.7%

Worldwide[1] it's: Chrome 63.54% Safari 19.24% Firefox 3.79%

I was a bit shocked to see how low FF is. It's exploits are being valued the same as Safari.

[0] https://gs.statcounter.com/browser-market-share/all/united-s... [1] https://gs.statcounter.com/browser-market-share#monthly-2020...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: