Best browsers for safe surfing

Spikes AirGap, Invincea FreeSpace shine in test of eight specialized browsers

Web browser

The Web browser has been a major infection vector for years, allowing malware to be transported to millions of computers. But if there were more secure alternatives to IE, Chrome and Firefox? We tested eight of these better browsers. We looked at Spikes AirGap, Spoon’s BrowerStudio and Invincea’s FreeSpace, which take the sandbox approach. And we looked at Comodo’s Dragon, Bitdefender’s Safepay, SRWare Iron and open source Dooble, which offer a locked down alternative to your current browser. Authentic8 Silo, our eighth product in this review, uses elements of both approaches. (See the story version.)

Silo

Silo is an interesting combo of sandbox and customized protected browser technologies. To browse, you enter a four-digit PIN on a virtual keyboard screen designed to thwart keyloggers. You’re then taken to a stripped-down screen that has just a navigation bar and a small menu of commands. You can’t import bookmarks and Google is the default search engine. Silo’s admin console has the ability to set policy options, including being able to block downloads, enable them for trusted devices, or allow them completely. Silo detected our various malware sites and phished emails. It is the only browser we tested that has the ability to use two-factor authentication.

Comodo Dragon

Comodo Dragon is moderately secure and has some privacy features as well. When you install it, it installs a version of Adobe Flash. There is also an option to make use of Comodo’s own secure DNS services. You can import bookmarks, history, passwords and search engine preferences from existing browsers. Comodo shares the same settings sheet as most Chrome-based browsers, Yahoo is installed by default. Dragon didn’t stop executable files or PDFs from being downloaded, but it comes with helpful tools. There’s Webinspector to help determine if a URL is suspicious or from a phishing site. And there’s PrivDog, which has controls for blocking third-party cookies, web tracking code, untrusted ads, etc.

AirGap

Of all the products we tested, AirGap is the most unique and the most capable in terms of security. AirGap runs a virtualized session on another machine across the Internet. The VM renders the content and converts it to pixels that are compressed and streamed to your desktop. Malware is rendered useless since nothing executes on your own machine. Every user session has its own virtualized session and even every browser tab has its own session and is isolated from the other tabs. That has a lot of appeal. AirGap was the only product to refuse to execute everything on our local desktop by default. The biggest downside for AirGap is the slight delay it has in using the protected browsing session.

FreeSpace

FreeSpace allows you to use any browser, including IE (v7-11), Chrome (v27-33) or Firefox (v10-27) on any Windows XP or 7 PC. It constructs a protected environment on your desktop for the browser to run in that is centrally managed for security policies. One policy is to always block or not block executables and other downloads, or leave the choice up to the individual user. Since they use your regular browsers, all of your profiles, bookmarks, and history persist from one browsing session to another.  This is useful if you have a motley browser assortment across your enterprise and your users don’t want to move to yet another browser.

Dooble

Dooble is a custom browser that has some moderate security settings and is available as an open source project for Mac, Linux and Windows PCs. It has a good collection of menus, options and controls. By default it disables Javascript, which is a nice touch, but finding the setting to turn it back on will be your initial challenge. It also didn’t stop executables or PDFs from downloading to our test systems, and while it did catch some malware sites, it wasn’t as thorough as some of the other browsers. Overall, this browser is still in a work in progress.

SRWare Iron

The SRWare Iron browser is a free custom version designed to provide more anonymity than the standard Chrome v32 browser, which it uses for its code base. They have tried to add in a number of privacy-oriented features rather than focus on securing the browsing session. For example, Iron doesn’t support DNS prefetching. It also comes with DuckDuckGo for its default search provider, so your searches aren’t saved somewhere in the GooglePlex. However, Iron had some serious security flaws: it was able to download EXE and PDF files from the Internet without any warning, and couldn’t stop the sample phished email we used. It also passed some malware through, but appeared not to actually execute any of the malicious Javascript.

Safepay

Security vendor Bitdefender has a protected browser called Safepay designed for financial transactions. When you bring up the software, it scans your system for malware. Once you pass muster, it brings up a protected session that exists in isolation from the rest of your desktop. It is a bare-bones browser: no separate search window, and few menu options. However, you can download executable files and PDFs to your local hard disk, essentially getting around the protection. The malware scan didn’t see our test EICAR.EXE file, which we downloaded. It did block our phished emails and the malware sites that we visited. A nice feature is the optional virtual keyboard that can be used to thwart keyloggers.

Spoon’s Browser Studio

With Spoon’s Browser Studio, you assemble the browser from various components: code base from Chrome, Firefox, or IE, plug-ins such as Java, Flash or Acrobat and other helper apps. When you’re done, you publish that version to your cloud account. Then you download a small installer program, which will then deliver the customized bits to your desktop. Once you go through the process, you don’t have to install (or can eliminate) Java or Flash on your desktop. The downside is that getting this mix of components might take some trial and error. Another drawback is that the initial load of the browser will take several minutes. It didn’t let any malware execute on our desktop machines.