Google 'rigs' browser security test to make Firefox fail

Analyst accuses Google of withholding key SafeBrowsing features from Firefox.

A testing lab has slammed a recent Google-sponsored test which found that Firefox was the least secure of the top three browsers and has warned it was likely rigged in an attempt to kill-off its rival.

NSS Labs' Vik Phatek speculated that Google took out "a hit" on Firefox, which Chrome last month surpassed as the second most popular in the world.

"Do not draw conclusions on overall browser security (or lack thereof) based upon this one report," NSS Labs warned its clients Wednesday.

Accuvant Labs, the company behind the test, put Chrome and Internet Explorer ahead of Firefox because Mozilla's browser lacked or had poorly implemented sandboxing, plug-in security, hardening and URL blacklisting.

"While some good work was performed on anti-exploitation features, the methodology and test execution was considerably flawed," wrote Phatek.

Accuvant's report excluded "important security technologies" within Firefox, which suggested "a larger strategic move by Google to eliminate the competition".

The key evidence NSS Labs cites to make its claim Google rigged the test was the performance of Google's SafeBrowsing product in the rival browsers which use it -- Firefox 7 and Safari 5.

While NSS figures showed malware protection in Chrome 15's SafeBrowsing improved from 8 per cent to 40 per cent between November 22 and December 2, Safari and Firefox remained relatively stagnant.

This was due to a “new reputation-based” protection in Chrome that was not offered as part of its SafeBrowsing API to third party browsers, according to NSS.

The security analyst firm notes Chrome’s improvements appeared around the same time Mozilla's financially vital Firefox-search contract with Google expired. That contract accounts for over 85 per cent of Mozilla’s revenues.

"It appears Google has purposefully withheld important malware protection from its SafeBrowsing feed coinciding with its break from Firefox and release of the Google-funded report by Accuvant. This episode could indicate a more aggressive direction for Google," said NSS Labs.

Some elements of the report were however valuable and, according to NSS, the well-known Accuvant researchers behind it did an "excellent job" covering browser security technologies such as sandboxing and hardening techniques.

Amongst those researchers was Black Hat regular Charlie Miller who was recently exiled from Apple's iOS developer program for exploiting a hole in its application code signing process and earlier this year discovered a firmware weakness in Apple laptops that could allow an attacker to overheat its batteries.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags GoogleFirefoxmozillaweb browsersNSS Labsbrowser securityAccuvant LabsSafeBrowsingVik Phatek

Show Comments