Keeping Internet browsers up to date may provide better security than installing some commonly used malware protection software, which might actually increase vulnerability according to new research.
A team from Concordia University in Montreal examined 14 frequently used programs designed to protect data and block viruses and questionable content. To their surprise, the researchers found that in many cases, the computers were better protected when relying solely on the in-built security of up-to-date browsers than when relying on the additional security products. Moreover, the programs were in many cases found to actually decrease security.
"Out of the products we analysed, we found that all of them lower the level of security normally provided by current browsers, and often bring serious security vulnerabilities," said Xavier de Carné de Carnavalet, a PhD student at the Concordia Institute for Information Systems Engineering, who performed the analysis together with his academic supervisor Mohammad Mannan.
"While a couple of fishy ad-related products were known to behave badly in the same set-up, it's stunning to observe that products intended to bring security and safety to users can fail as badly."
According to the researchers, the security software overrides the inbuilt security of the browsers, which seems to provide better protection. Browsers always check the certificate delivered by a website and verify that it was issued by a proper entity, the Certification Authority. Digital certificates are used to create secure connections to servers via the Internet by verifying the identity of the user.
The security programs inspect web pages before they reach the browser and therefore circumvent the certificate checking process. Essentially, these programs make the computer think that they are themselves a fully entitled Certification Authority, the researchers claim. The browser subsequently trusts the program instead of performing its own checks.
"We reported our findings to the respective vendors so they can fix their products," said Mannan. "Not all of them have responded yet, but we hope to bring their attention to these issues."
The researchers said that the best the users can do is to make sure their browsers and operating systems are constantly updated with the latest security patches.