Private Browsing
If you share a computer with others, you may prefer that sites you visit not be added to your browser's history, or that any new cookies created be deleted when your browsing session ends. Safari was the first browser to offer Private Browsing. Chrome has answered with Incognito, and Firefox plans to add some form of private browsing to its Firefox 3.1 release.
With IE 8, Microsoft will introduce In Private browsing. Both IE 8 (when it is released) and Chrome (now) display visual indicators--icons in the upper lefthand corner--to signal when you're in a private session. Safari offers no visual cues, and Firefox hasn't said what UI changes it plans to make. With private browsing, all client-side evidence of your surfing session should disappear when the session ends, though records of your visits will remain on external Web servers.
The private browsing feature appears to provide secrecy, but both Apple and Microsoft maintain a cache that includes Private Browsing sessions. Is that a contradiction? No. Apple uses a DS cache so that the Safari browser doesn't have to request DNS information continually on frequently accessed sites. IE 8 will save information about your In Private sessions for sites that may be collecting information about your visits. Both Apple and Microsoft say that you can delete these caches through configuration options, however.
Better Security
Perhaps the most vexing aspect of past versions of Internet Explorer has been the browser's poor security. Here, too, Microsoft has made significant gains on the competition, starting with its 'Trustworthy Computing' inspection of lines of code. Both IE 8 (running in Protected Mode) and Chrome will run at low integrity, meaning that they can't launch applications without the user's express permission. And both browsers are designed to use 'Data Execution Prevention' and 'Address Space Layout Representation' to protect against remotely executing malware. Neither Firefox nor Safari offers similar protection.
All of the new browsers support Extended Verification SSL, a way of further establishing trust in a site you are visiting. Only Safari doesn't change its address bar to green to signal the extra security. And all four browsers include antiphishing protection, though Safari 3.2 stops there and doesn't yet offer antimalware protection.
Cross-Site Scripting and Other Demons
Cross-site scripting (aka "XSS") attacks occur when a malicious Web site uses Javascipt to read or write data onto another Web site. Unlike the three competing browsers, IE 8 will offer built-in XSS protection. Firefox recommends that users install No Script, a third-party add-on. So far, Chrome and Safari don't offer XSS-specific protection.
"Clickjacking," a term coined by security researchers Jeremiah Grossman of WhiteHat Security and Robert Hansen of SecTheory, refers to a less common but sinister practice: Bad guys trick a user into clicking a concealed link and performing unknown actions, such as activating a peripheral device like a Webcam or deleting data from a Webmail site. Since the attack uses a common coding procedure, Microsoft says that the best way to defeat it is for developers to add a special tag--X-FRAME-OPTIONS--that IE 8 will use to filter clickjacking attempts. Firefox recommends using the No Script add-on to ward off clickjacking attempts. Chrome and Safari do not offer specific protection against clickjacking.
In light of its robust new features and the ease with which it can be deployed, IE 8 appears poised to be the most network-ready browser of the bunch. Organizations currently running Internet Explorer should definitely upgrade to IE 8 when Microsoft releases it, and those that have migrated away from Internet Explorer should evaluate the productivity and security benefits they stand to gain by returning.
Community Comments