29

Is it good policy to use non-mainstream applications, or does it depend? For example is it better to use a less popular browser, media player or operating system as it is less likely a target for hackers to exploit? On the other hand if it's more popular it may have a larger community for support and if it's open source then it has more eyes and people fixing it.

To clarify I see 3 positions one can stand on this: it's better, it's worse, it depends on the specific situation/irrelevant.

For example I once heard using Opera web browser is safe because (in Turbo mode) it proxies traffic. I thought it may be better because it's less popular.

Another consideration is the popularity of the security software itself. It would be reasonable for a virus writer/hacker would aim to defeat the most popular security checks, for example a virus may be designed to avoid detection or knock out Avast but may not have bothered with Trend Micro.

Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • 12
    You believe Opera would be more secure because it sends ALL your traffic through a single server you have no control over? I'd consider it to be the exact opposite of safer. – Grant Aug 22 '12 at 13:36
  • @Grant the argument I heard is that Opera's server would act like a buffer and any attacks made by the website would happen to it. – Celeritas Aug 22 '12 at 18:35
  • 1
    Should I live in a less crowded area, with less criminal acts per year? (Answer: maybe) – curiousguy Aug 24 '12 at 05:05
  • I think the answer to your title is "yes". Using IE5 nowadays may actually be secure, just need to hope there aren't any IE6 exploits in the wild that affect IE5 too. Also, look at the "there are no virusses on a Mac!" argument. A less used platform, like Opera, is almost certainly safer. – Luc Aug 24 '12 at 21:05
  • @Luc but for all systems that you would use IE5 on there are exploits in the wild :-) – kinokijuf Aug 25 '12 at 13:02
  • Use open source software! – noob Aug 28 '12 at 19:42

8 Answers8

43

Using obscure applications is, as my phrasing suggests, a form of security through obscurity. Such reasoning is false, and only leads to a false sense of security. Obscurity is not security.

Don't select your security-critical software based on how popular it is or isn't; select it based on the amount of analysis that has gone into the software, how quick the vendor is to patch security issues, and what provable security measures they offer.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 5
    Unfortunately, its basically infeasible for a non-security expert or people without lots of practical experience to determine these metrics (analysis, measures, patching) for a given software. Most you get is a sourceforge project page or a vendor homepage with PR gibberish. – pepe Aug 22 '12 at 09:46
  • @pepe I partially agree. For measuring patch speed, just hop into their bug tracker and look for items flagged as security. Then look how long it took to go from reported to fixed. For individual security-critical apps that are sufficiently popular, it's not infeasible to Google for some analysis (blogs, papers, etc). If all else fails and you have a specific concern, ask a question on here. – Polynomial Aug 22 '12 at 09:56
  • 4
    I agree with the "security obscurity" question but I read the question as possibly using it for "risk reduction", which I do think has some merits. – Mark Hillick Aug 22 '12 at 10:24
  • 4
    @MarkHillick I disagree that it's a risk reduction. It's a risk reduction until someone actually breaks it, at which point it's become a huge problem. It's a false sense of security. Obscurity provides no *provable* benefit, only a perceptive benefit. – Polynomial Aug 22 '12 at 10:30
  • 4
    @Polynomial I didn't say use "obscurity" did I? I don't consider Opera obscure, do you? I said "less popular" but well maintained and patched by a reputable community. Obscurity != Less Popular, I think there's a difference. – Mark Hillick Aug 22 '12 at 10:35
  • 2
    @MarkHillick My point is that the two are [independent](http://yourlogicalfallacyis.com/bandwagon). There's zero correlation between popularity and security. You have to use proper security metrics to measure security. By definition it's a difficult thing to measure, so attempting to estimate using arbitrary perceptive and subjective metrics is misplaced. – Polynomial Aug 22 '12 at 10:58
  • 1
    I don't think I said there was a correlation between populairty and security, did you read my full answer below? I said there was correlation between popularity and risk, possibly more correct to say perceived risk. There's evidence that shows the more popular software is then the more targeted it will be. The more something is targeted is, the more likely that a vulnerability will be found and successfully exploited. – Mark Hillick Aug 22 '12 at 11:17
  • 3
    The same goes for risk. You can argue that something less popular is a lower risk, but that's like saying "ok, here's a gun with 256 barrels, and only one bullet, go play Russian roulette". The probability might be low, but the security implications are high. Probability also does not mean a lower incident count - an unbiased coin might still land on heads 500 times in a row - it's just *really* unlikely. I'm not discounting your answer, I'm discounting the security of relying on a probability. – Polynomial Aug 22 '12 at 11:34
  • 1
    I didn't mention probability nor impact once in my answer :) The impact is the same and is regardless of popularity, get exploited and compromised. The popularity does not reflect the security of a product but the more popular a product, it will encourage attackers to find vulnerabilities in it because the ROI is greater. I also never said to rely on the popularity of a product for your security, so I think you've misread my answer there. – Mark Hillick Aug 22 '12 at 14:31
  • 1
    @MarkHillick I wasn't attacking your answer. I like your answer. I upvoted your answer! I was just saying that your assertions in the above comments are slightly misplaced. – Polynomial Aug 22 '12 at 14:34
  • @Polynomial ha ha, sorry I wasn't being defensive...sorry I was enjoying the discussion :) Different opinions make the industry better. – Mark Hillick Aug 22 '12 at 14:36
  • 3
    "I'm discounting the security of relying on a probability" - This is a very academic view. In practice, security is risk management, and thus a probabilistic process. People don't have time to design everything perfectly. Companies base their decisions pro/contra some software on many indicators, but in the end its a probablistic process. I also disagree with independence from popularity. IMO there is clearly a correlation in cases where other software with mostly identical functionality exists. Alternatives become known and used (e.g., sendmail and alternative MDAs). – pepe Aug 22 '12 at 18:43
  • @pepe Which is fine, until you consider that obscurity is a constant game of chance. You might be fine on any given day, but there is always a small probability of someone reverse engineering or attacking your system. As the system ages, the probability of someone coming across it is increased. Therein lies the problem: these solutions stay in use for years. – Polynomial Aug 22 '12 at 19:12
  • Just a quick addition: I recently was chatting to a vendor who was pushing a mobile security app that involved a secret number being shown on screen. When I asked him why he wasn't worried about malware taking a screenshot, he said "well, someone would have to write code to specifically to target our app. I don't think that's very likely." My response was: "Until I go home and write a proof of concept." The conversation ended with a stunned silence. – Polynomial Aug 25 '12 at 13:58
  • @Polynomial I just want to point out that a fair coin toss that lands on heads 500 times in a row is so unlikely that I would be willing to bet my life that it won't happen. After all, even if you could flip billions of times per second, a mere 80 flips would take ages to land on heads each time. You do trust modern ciphers with a key size far lower than 500, don't you? – forest Mar 13 '18 at 03:32
14

@Polynomial makes very good points regarding "security through obscurity" and you definitely shouldn't secure yourself based on "obscurity" because it has proven not to work. However, I don't believe that the answer to your question is that simple - I think your question is more of a "risk reduction" question but could be wrong.

Quite often in the security community, we simply say "no". Choosing something because it's not "popular" or doesn't have as a big a market share, however, isn't a straightforward "no" imho.From your question, imho, I don't believe that you are suggesting a "security through obscurity" policy.

I have seen examples of people employing a successful strategy using "less popular" software. It is important to note though that it's quite often a short-term solution, very much not a long-term thing.

I'm pretty sure that it's a fact that the vast majority of attackers will target the technology that is used by the majority of the people, that's generally why Windows, Internet Explorer, Adobe Acrobat were all targeted (as well as the fact that some of the code was very poor). Later Windows and IE (IE9 is significantly more secure) releases have been dramatic improvements on their predecessors from a security point of view both because they've taken such a tanking from attackers and the security community as well as losing market share (possibly more hurtful). However, despite these security improvements, Microsoft is still targeted, Patch Tuesday is still quite often "huge" and it's because of their large user-base (a big target).

For example, I know of people who moved from Windows to Mac because it had less market share and was deemed "more secure", remember the Apple campaign. As Apple have become more popular, they've been targeted much more and there is a lot more malware specifically for MAC now then when it wasn't as popular so surely that would confirm your suggestion, that yes it was more secure when it wasn't as popular. It's not the underlying infrastructure that's made it more insecure but generally all the nice apps that Apple adds on and it adds these on to please users, mostly new users who aren't as technical as its original user base. It's not to say they were "more" secure before Steve Jobs took over the world but I believe it's safe to say, that you were less "at risk" from being attacked using a Mac 6-8 years ago than you are today.

I know folk now moving from Mac to Linux to remove themselves from the Mac "attack surface". Whether Linux will become as popular as Mac on the desktop is another question but there are many reasons why using Linux as desktop is secure (too many for here), not least because the person using Linux is most likely technically savvy and aware of the risks) but "less popular/less of a target" can be one of them.

Similarly with Adobe, their software was attacked because of the huge target base that a successful exploit could compromise - there are vulnerabilites in other PDF software but they weren't attacked to the same degree (were they?). They're still being attacked because it's the predominant solution for reading/writing PDFs and vulnerabilities despite securing their software so much more (e.g. their sandboxing technology)

I know of plenty of folk that use Opera or less popular browsers for browsing certain important sites because whilst there are vulnerabilities in that software also (as there is in all software), they're not as well known or as well targeted. You are much more likely to receive an email with a link to a web-site that contains a payload to exploit a Firefox, IE or Chrome vulnerability.

@Pepe also makes a very good point regarding ensuring the software that you are using is maintained and regularly patched (Opera certainly is). I'd also add ensure it's a reputable project, do some digging on the Internet to check out the community/person behind the software - Sourceforge is awesome but it does host some "interesting" stuff to say the least. If in doubt, ask on Security Stackexchange :)

In summary, I don't think it necessarily makes you more secure but if you have your head screwed on, are aware of the risks etc then I do believe such a philosophy can be used to successfully reduce your risk, if used correctly as part of an overall defence-in-depth strategy and you don't rely on it totally.

Mark Hillick
  • 2,124
  • 11
  • 14
11

It depends. If all reasonably functional alternatives are fundamentally prone to programming errors, like it is the case with browsers, it is probably a good idea to use a not-so-popular one.

In particular, if your threat model does not include sophisticated adversaries that wait, observe and develop attacks specifically for your setup, using the not-so-popular software will free you from a lot of hit-and-run/mass-scanning/worm attacks. I think this is an effective security policy for "practical" systems, i.e., any larger industry/home setup where the software and hardware configuration cannot be designed/bought/enforced from the start with security in mind.

Obviously, you should also not use barely maintained or non-maintained software. Just because its not-so-popular doesn't mean its secure.

FWIW, here is a simple statistical analysis of the average security bug rate of Debian packages: https://freeside.trust.cased.de/apt-sec/hits

Please note:

  • The metrics are of limited usability. Perhaps most useful and easiest to understand is the MTTF, which is the mean time between reported security incidents for a particular package.
  • The system uses the Debian repositories and advisories to infer this information, but of course a bug in the Debian's vlc package is likely also a bug in everyone else's vlc package.
  • An average bug rate X doesn't mean that incidents occur at that rate on your particular platform. Its an upper boundary, covering all possible combinations. If you're running Windows, chances are that many of Debian's vlc security advisories don't apply to your Windows vlc.
pepe
  • 3,536
  • 14
  • 14
2

In practical terms, there's a certain amount of security to be gained by "flying under the radar" if such a thing is an option for you.
I've seen thousands of readily-exploitable PHP applications that never get any attention and never get exploited "in the wild", while even the slightest misstep in a Wordpress or Joomla extension will quickly become widely exploited. Statistically speaking, if a mistake in your application doesn't show up on Exploit-DB or in CERT, then it likely won't be exploited by automated scanning bots. And exploits by automated bots are your biggest concern if you're a "nobody" on the Internet.

But as a long-term solution, this is a risky sort of shelter to seek.
All it takes is one opportunist who notices a mistake in your application to completely ruin your entire strategy. Popular applications become popular largely because they're well supported, well managed, and quickly updated. Less-popular software is often abandoned or infrequently updated. A mistake in such a program may never get updated at all. And changing platforms down the road will probably be a non-option. If no one knows about your app, then it's unlikely that a migration tool will exist -- you'll be stuck and in a disaster.

Also, certain classes of dangers can be generically scanned for --
This includes remote inclusion bugs, SQL injection exploits, and a few others. The attacker doesn't need to know ahead of time what software you're running or whether or not its vulnerable. Instead, he can look for certain patterns that often accompany an exploitable component even if he doesn't know what that component is.

In this scenario, poorly-written software will bite you anywhere, even if you wrote it yourself and no one has the source code but you.

Ideally, you should stick with trusted, vetted, well-maintained software, completely regardless of popularity.

tylerl
  • 82,225
  • 25
  • 148
  • 226
1

No using untested/obscure software leaves you open to bugs and security researchers.

While there will be more exploits developed for IE/Safari/Firefox/Chrome/etc the companies behind them are under and extreme pressure to patch them.

Simply by using "obscure" software it becomes less obscure to the most likely threats -- Those within your organization.

November
  • 505
  • 1
  • 5
  • 12
1

If you have to ask, don't use less popular software, because it's harder to find good information about it. I know Google Chrome has very strong sandboxing, and I'm happy telling people that. When it gets broken, you hear about it. Whereas I don't know whether Opera uses sandboxing, or how highly regarded its implementation is.

OTOH, if you are reliably informed that Opera is more secure - and that the security is well-maintained - then feel free to prefer it.

One thing I think no-one has mentioned is the "bypass" factor. Your more obscure software is likely to lack some useful feature. (E.g. working well with a certain website). If users are forced to switch software sometimes, perhaps without the same chance to use a prepared safe solution, then they could be losing the protection... maybe even getting the worst of both worlds.

sourcejedi
  • 609
  • 4
  • 14
-2

There is no link between popular and non-popular software in terms of security in general. All browsers can be exploited one way or another, which is happening a lot. It's even not safe to use wget or similar tool with known and future vulnerabilities on some websites without caging it.

Everything what connects to internet and it's parsing the HTML is potentially exposed to various attacks especially if the client-side code is run.

Because of this, the browser run is best to be caged / switched to another user without ability to capture screen / drop files to the current user account running e.g. email.

You would not run email and web on the same server account, why would you run it this way on the desktop pc if it supports caging too, like chrome does, so maybe you can try with MSIE 9 too (very secure), chrome, but firefox? As most popular browser, doesnt seem to be secure AT THE MOMENT, and the historical track of bugs is irrelevant, as what matters is the current version. But what is the security of firefox I am not sure but it's a new feature (plugin isolation), and you would need more support from the OS to actually isolate it.

In Linux, you can run it thru "sudo" or via SELinux/AppArmor, in Windows you do this:

C:\>runas  /profile /env /user:win\test "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Enter the password for win\test:

And that the test user is not having password "test" or "password" and it's not in administrator group.

With this, you can run a very dangerous websites and in any case you just wipe the account. You dont setup it's write permissions to any files. Mail and web can be kept on the server mapped drive for additional inspection and control.

Hardening the desktop is easier then actually a server. It is because desktops for most of the time statistically run Windows, which can be secured from simple GUI and the bat files with runas are very easy to make, also via GUI.

Andrew Smith
  • 1
  • 1
  • 6
  • 19
  • 5
    Care to substantiate that last claim? – pepe Aug 22 '12 at 09:20
  • 8
    Can you cite some CVE's for wget getting exploited? – Bruce Ediger Aug 22 '12 at 13:52
  • 1
    "_And that the test user is not having password "test" or "password"_" How the password of the test user relevant? – curiousguy Aug 23 '12 at 04:33
  • 2
    I'm confused as to how anything after the first paragraph is relevant to the question. – Polynomial Aug 23 '12 at 10:19
  • Guys, care to read and understand carefully the context? Also I gave the following statements: 1. no application without extra security is safe today because standard security is bypassed with standard exploits over some time 2. test and passwords are practical examples of _easy_ passwords. I have 6 year old son who is suprised by your answers as he can use PC and understands these issues better as well this post and he requires less explanation to get it, hence I dont feel obligated to give more answers. How is relevant? It's usage scenario of running secure apps. Too much of PC!!!! – Andrew Smith Aug 23 '12 at 23:17
  • ps. in opposition to using _different_ software, it gives example how to run it _differently_ in _different_ context. Think _different_ ha ha ha. – Andrew Smith Aug 23 '12 at 23:20
  • I would not at all recommend browsing "very dangerous websites" under any account on a system that has value to you, regardless of whether the account is Administrator or not. If your software is vulnerable to remote code execution, it's just one more step to privilege escalation before the box is pwned regardless of the account you start with. [Law #1](http://technet.microsoft.com/en-us/library/cc722487.aspx#EKAA) of security: "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore". In this case, substitute "run his program" for "view his website". – Iszi Aug 31 '12 at 15:56
-2

It's a good question but I do not have a specific and clear answer that you can use for all situations. Of course, it depends on the situations and the software and application that you want to use.

For your example, a browser, I think it's better to use a popular but open source browser that can give you a lot of security extensions. Using that as a guide we have several web browsers to choose from. With these security extensions, and their popularity, we can be almost sure about the code, but you should know that it is not only hackers that threaten security but sometimes the developers themselves. So take a fast look at the company privacy policy and use that to help guide your choice. This method can be use for other applications as well.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
anony
  • 9
  • 3
    Do you have any research or other sources to indicate that popularity *is* a good measure of trustworthiness of software? After all, phpMyAdmin is very popular and has a terrible track record. – Scott Pack Aug 22 '12 at 11:36
  • 6
    @ScottPack s/MyAdmin// ;) – Polynomial Aug 22 '12 at 12:55
  • @vignesh: That's this question.... – Scott Pack Aug 23 '12 at 11:54
  • @ScottPack : The thing I mean is, the popularity factor should be consider with other factors.They can supply security together.and I think security is not the thing that can be supplied by one factor only.Anyway it's my opinion and I don't have any official research on this field.I hope you understand what I mean. – anony Aug 23 '12 at 14:15