lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <bfad19c00905051446h5b58c44fxd49e23df099723c@mail.gmail.com>
Date: Tue, 5 May 2009 23:46:23 +0200
From: Stefan Frei <stefan.frei@...hzoom.net>
To: bugtraq@...urityfocus.com
Subject: New Browser Security Paper: Why Silent Updates Boost Security

Dear all,

with research colleague Thomas Duebendorfer from Google in Zurich I've
finally had a chance to look deeper into the performance of Web
browser update mechanisms. The analysis of anonymized Google Web
server logs allowed us to compare and rank the update strategies
deployed by
Google Chrome, Mozilla Firefox, Apple Safari, and Opera. We found
considerable differences in the performance of the update techniques
deployed by each browser by measuring the share of the latest minor
version within the same major version during the first 21 days after
its release.

Chrome topped with 97% share after 21 days, followed by Firefox 85%,
Safari 53%, and Opera 24%.
However, during the first 5 days after a new release Firefox
outperformed all the others.

The paper discusses the findings and provides empirical data to
evaluate different update strategies.


Paper: Why Silent Updates Boost Security

Abstract:
In this paper we analyze the effectiveness of different Web browsers
update mechanisms; from Google Chrome's silent update mechanism to
Opera's update requiring a full re-installation. We use anonymized
logs from Google's world wide distributed Web servers. An analysis of
the logged HTTP user-agent strings that Web browsers report when
requesting any Web page is used to measure the daily browser version
shares in active use. Our measurements prove that silent updates and
little dependency on the underlying operating system are most
effective to get users of Web browsers to surf the Web with the latest
browser version. However, there is still room for improvement as we
found. Google Chrome's advantageous silent update mechanism has been
open sourced in April 2009. We recommend any software vendor to
seriously consider deploying silent updates as this benefits both the
vendor and the user, especially for widely used attack-exposed
applications like Web browsers and browser plug-ins.

Authors:
- Thomas Duebendorfer, Google Switzerland GmbH
- Stefan Frei, Communication Systems Group, ETH Zurich, Switzerland

Paper Download:
http://www.techzoom.net/silent-updates

Paper Blog
http://blog.techzoom.net/2009/05/silent-updates-vs-loss-of-control.html


Cheers
Stefan Frei & Thomas Duebendorfer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ