Most Secure Browser of 2018 for Password Management

The average user isn’t quite aware of how much information they unwillingly hand over to third party data trackers when they launch their favorite browsers. Despite the increasing prevalence of specialized apps to serve the various needs of users, web browsers still account for a huge chunk of our digital life. It’s the program we launch to read the news, listen to music, check our bank account, pay bills, and much more.

Fortunately (or not), the choice of web browsers continues to grow, and with it users concerns surrounding security. With the abundance of data breaches we’ve seen in 2017, many are wondering just exactly which browser is the most secure, especially when it comes to password management.

Web browser security vulnerabilities by the numbers

It’s not a place every internet user will visit every day, but the common vulnerabilities and exposures (CVE) database is something that needs to be checked from time to time. While the language used there may sound like gibberish to non-programmers, the number of vulnerabilities reported and their resolution progress offers reliable information about the current status of the web browser.

Apple’s Safari Web browser, for example, has a total of 922 CVE entries, which means the default browser of the macOS operating system has had this many security bugs of varying severity. Google Chrome, the most popular browser, has 1,582 CVE entries, Firefox 1,633, while Opera (an underrated browser featuring the same core technologies as Chrome) has 349. Microsoft Edge has 325 entries, and the lowest is Tor at 84. All these numbers reflect the total number of bugs discovered by security researchers and reported to the CVE.

DOM fuzzing

Google assembled a team of security researchers under the name of Project Zero with the aim of finding zero-day vulnerabilities. You might have heard about their findings: the “Heartbleed” vulnerability that made headlines came to the surface thanks to their efforts. One of the team members, Ivan Fratric, was tasked to test browser software for potential flaws.

Since DOM (Document Object Model) engines have historically been a “very good source” of browser bugs exploited by hackers, Fratric’s task was to test browser resilience against his own fuzzer called Domato.

This, however, doesn’t “necessarily reflect the security of the whole browser and instead focuses on just a single component (the DOM engine), but one that has historically been a source of many security issues,” Fratric explained in a blog post announcing the results. This obviously limits the reach of his research, but it is an important component users should keep in mind when choosing a password manager and using its browser extension.

The LastPass security breach from early 2017, for example, was related to DOM – it was triggered because of the way LastPass behaved in “isolated” worlds, a JavaScript execution environment sharing the same DOM as other worlds.

The most secure browsers according to Google’s project zero

1. Chrome – 2 bugs
2. Firefox – 4 bugs
3. Internet Explorer – 4 bugs
4. Edge – 6 bugs
5. Safari – 17 bugs

As you can see from the above list, Apple’s Safari is the outlier, with a significant number of bugs found when compared to Google’s browser. It is worth remembering, however, that the research was funded by Google, so we cannot exclude a biased result.

What can we learn from this?

While remote hacks using hardware vulnerabilities are possible, the first and lowest cost go-to method for a hacker to orchestrate an attack is by crafting a malicious site to exploit vulnerabilities in web browsers. This hacker-built site will install malware or run a script, and steal any passwords saved in a password manager just as was the case with the LastPass browser extension in early 2017. But other password managers such as 1Password, Dashlane, or Keepass also had their share of bugs.

Our recommendation, for security reasons, is to not use the browser extension of the password manager. Instead, use the dedicated desktop/mobile app or the browser’s password manager.