Poznań Supercomputing and Networking Center Security Team conducted a set of comparative tests of Web browsers, addressing resilience to attacks on SSL/TLS encrypted tunnels. Particular emphasis was put on if the browsers are able to detect those attacks at all and how the user is informed (including the users without specialized knowledge on IT issues).
5 most popular browsers were tested, in alphabetical order: Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox and Opera. Among others, the set of implemented encryption algorithms was verified, as well as efficiency of exchanging encrypted data under non-standard conditions in the network. However, the key part of the tests was the analysis of interaction between the browser and its user in cases of occurring different types of security errors embedded within browsed Web pages. For instance, an outdated certificate or unencrypted content within an HTTPS page cases were tested. It was verified whether the idiosyncrasy had been detected at all, and then – if the information about it was presented to the user in a visible, detailed and convenient way. The default settings of all browsers were assessed as well.

On the other hand, it must be clearly stated that the current stage of the tests did not concern potential vulnerabilities in the code of the browsers and any conclusions about quality in terms of software vulnerabilities must not be drawn.

It may be clearly seen that the vendors aim to create for their users conditions that would allow them to browse the Web in a secure way. However, the implementation of that goal varies between particular browsers (and sometimes is quite heterogenic within single applications). The amount of displayed information on errors that had occurred significantly varies among the browsers, which may be meaningful for particular groups of users in order to select their favorite application.

According to obtained results, no absolute leader or outsider among the tested browsers may be pointed out. In the subjective assessment of the report authors, the two most popular browsers (i.e. Firefox and Internet Explorers) fulfill the majority of basic requirements for secure handling of SSL/TLS encrypted tunnels, while Firefox appears to have better interaction with the user and slightly more secure default settings – and Internet Explorer appeared to be more efficient during sending data through encrypted tunnels.

Amongst the rest of the browsers, not so popular in the market, the report authors honored Opera for the most sophisticated error reporting facilities. It also seems that the developers of Safari still have the most work to do.

It also appears that using only one browser (not only in terms of SSL/TLS tunnels) is a solution that limits the opportunities to perceive various types of security problems – especially those users who are technically oriented.
The detailed report, summarizing the work done, may be downloaded from PSNC Security Team webpage. Currently it is available in Polish, but the authors will prepare an English, shortened version soon.
Gerard Frankowski