In the security industry it's commonly known Chrome has the best security, this partly due to the amount of money Google invests in finding vulnerabilities (via fuzzing) in Chrome.
For "proof", you can check how much exploit vendors pay for exploits for each browser. For example Zerodium offer:
The higher amount would generally indicate its harder to get an RCE in Chrome
That does not follow at all. Chrome has the highest market share and so an exploit would have the greatest impact potential. More users affected => more economic value for an exploit.
If they both have similar market share, then that variable has been isolated and the conclusion that the cheaper exploit is the less secure is sound. When that variable has not been isolated, it's not possible to conclude that the difference in price is due to security and not due to the exploit affecting more people.
"The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc)."
So, if chrome, with ~65% of the market share had the same payout as firefox at ~4% of the market share, it would be fair to conclude it's less secure. However, we see 5x the payout and 16x the market share. Doesn't seem conclusive.
In fact, given Firefox's tiny market share (despite my efforts) I'm surprised the disparity isn't higher. Maybe it's harder to find Firefox exploits?
It's more likely that more popular browsers equally have more people attempting to crack them; and software in general is so buggy that results probably scale in proportion to the number of people looking.
Thats a valid point if we're referring to relatively unknown browsers. But the main three browsers are all high profile enough that they all have significant eyes on them and are thoroughly tested.
Firefox may have a small market share, but exploits for Firefox may even have more value to some entities/governments, due to its use in Tor Browser.
To clear any confusion, all three are extremely secure in comparison to other types of products (which is why exploits are so expensive), however Chrome just edges ahead, due to its sandboxing, and rapid patch cycle.
And Slack/Discord are not good examples. You're just setting yourself up for a world of monetized walled garden hurt long term. Matrix however is pretty great.
But Discourse is just old crap in new clothes. It reminds me of badly coded php forums of yore. It looks nicer, but without allowing dozens of external js files it just gets you a blank page. And their demo forum clocks in at nearly 5mb for viewing the index! Add to that bullshit like infinite scrolling and I really don't know why I would ever want to use this. We don't need new bloat that replaces old bloat just so someone maybe cleans up the presentation a bit.
I can't quite put my finger on it, but discourse forums always look very cold to me. Like an enterprise feedback aggregation where you're not sure if anyone will reply. It doesn't feel as explorable and cozy as older forums.
Yeah Discourse is great modern forum software in my experience as a user. So much so that I can imagine it helping lead a resurrection of forums, so much more pleasant to use than Facebook Groups (which I refuse to use)
If only. Too many people sadly go for the path of least resistance, which also has a plus side. People on forums are probably more likely to seek them out because they have their own issues with Facebook/Reddit.
You mean like reddit? It's mostly used that way right now (afaict), but I'm missing the expertise and feel of community (I knew everyone I interacted with on the old BBS) that existed before.
Like the article stated joining a community of like minded people brought a feeling and discourse that I don't really get on modern commercially hosted platforms that offer a "one size fits all" solution.
It's recognisably a forum, but works great on small screen devices and includes richer functionality such as events within forums (logically forums are more equivalent to folders that can contain differently structured things, so not just conversations but events as well for example).
I'm still tempted to work on it at times (hasn't been updated in many years) but for that to be a motivation I'd want to believe that others would run instances too and it would grow as a self-hosted multi-tenant option.
It's extraordinarily cheap to run, far less maintenance than any other forum platform I've ever operated.
Seems like Xenforo and Discourse are the most popular/modern forum software, based on what i've seen on the few forums I still visit regularly.
Discourse is interesting, it allows you to view threads by category, or by a feed where the most recent discussions appear first. Both have social media like features such as status updates and posting on peoples profiles.
Platform as in software-that-you-install-somewhere (in that case: Discourse seems plenty modern for me) or platform as in forum-as-a-service that will most probably end up with a dubious monetization scheme ?
"97% of companies have data leaks and other security incidents exposed on the Dark Web" - Bold claims. Do you have any proof of this? Such as redacted screenshots or examples of these leaks?
The article shows lots of stats, but no real evidence.
There are some people that say, now I am not saying it, but there are people that say, “Your data is on the Dark Web”.
It looks like FUD, it sounds like FUD, then in my books, it is FUD. Fortunately it is easy to get out of infosec meetings that blather on with these generic statements while working from home. No awkward walking out of the room.
It looks like it’s based on looking for the companies’ domains in password and data dumps, in which case 97% is utterly unsurprising and I bet the 3% are just too new to have had any users in a major breach.
I'm not connived that every name in a data dump indicates a breach at a given company.
My thinking:
If someone gets a hold of a huge list of usersnaems and passwords from bobcompany.com, and then spams numerous sites with those logins to see if they work elsewhere ... and finds that a few work on joecompany.com then puts out that data.... joecompany.com might have their name listed somewhere in someone's data dump, but they didn't have a breach...
Every work email address I've ever had has been a part of at least one breach according to haveibeenpwned. None of them are specific to the companies I've worked for. If they count things like the Exactis breach, they'll likely pick up every company that existed prior to that breach.
> I'm not connived that every name in a data dump indicates a breach at a given company
It doesn’t, the article is marketing bullshit trying to push an dark web monitoring service.
That’s not to say you’d never be interested in these breaches: if joecompany has employees who reuse or iterate (Summer2020 -> Fall2020) their passwords, a breach at bobcompany that includes joecompany employees could give an attacker their first valid login.
The correct things to do about this problem don't require even knowing the breach exists, let alone getting somebody to tell you the details though.
You need to do MFA for everything that matters. Passwords are crap, you may not be able to mandate that your customers start caring about that (though you should offer them better alternatives) but you can enforce it for your employees.
Require WebAuthn everywhere. Issue employees a suitable authenticator if they don't have one (iOS 14 will make newer iPhones a suitable device, high end Android phones are also suitable) and avoid mechanisms to let an employee subvert this requirement. Now you literally don't care if your employees choose crappy passwords (which they will) because it has no security impact.
That’s great if you can do it, unfortunately companies with big slow IT departments that don’t like making changes they didn’t ask for tend to see “MFA on all remote services” as a multi year project and widespread use of hardware tokens as impossible. For companies in that situation using something like the HIBP domain notifications can be helpful.
When MFA is in place you still have to keep loopholes in mind, things I’ve seen recently at various companies include a user blindly approving Duo prompts and letting an attacker on to the VPN, a Fortinet appliance that was supposed to be decommissioned a year ago that wasn’t, allowing an attacker to log in with credentials stolen previously, and legacy HTTP basic auth in Office 365, which bypasses MFA unless it’s disabled.
Sure, one of the reasons I specified WebAuthn is that intuitive security properties tie up better. Users have seen keys before, if I give Bob this Security Key, obviously Bob can unlock the same things as I could with the Security Key. Whereas a lot of these other technologies are a bit abstract - I should fill this six digit code into this web site but not any other web site? The phone might give me a Duo prompt out of the blue but I shouldn't say yes?
Actually WebAuthn's Security Keys have behaviour that matches people's intuitive understanding of actual keys somewhat better than the actual keys do. If I examine the lock I can make a key for it! If I see one key, I can use that to make more keys that all work! These are properties of real mechanical keys that surprise users but aren't present in WebAuthn's Security Keys.
that's cause the article is written for seo and advertising purposes and not for educational purposes. do you know how many seo articles i have personally seen written with false information? i'm surprised they didn't throw in the obligatory quote from company ciso.
Wow, didn't expect this post to blow up like this.
For reference, I have no 2FA, nor did I lose my corporate device. I've always accessed it through a web browser, never through a mobile, therefore when it asks me to verify with my corporate mobile device, I do not know what device it is referring to.
What options do they have now, if they abruptly stopped using that phone number for some reason 10 years ago and had no realistic way to know which 275 utilities were hitched to the number (or even if they did, couldn't contact support for reasons described in the article), for example:
- because they couldn't afford to pay the bills for a while
- or moved country
- or changed contract and then found they couldn't port the number (happened to me) and lost the old number
- or someone took their phone and they were unable in practice to recover the number or continue using it
- or they were ill in hospital for long enough their phone contract expired and they could not have dealt with transfer issues at the time
They don't remember, which is probably how they got themselves into this mess, which everyone else uses as an opportunity to share their Google hate and call for regulation.
For "proof", you can check how much exploit vendors pay for exploits for each browser. For example Zerodium offer:
* $500k for Chrome RCE
* $100k for Safari RCE
* $100k for Firefox RCE
https://zerodium.com/program.html
The higher amount would generally indicate its harder to get an RCE in Chrome.