Off-Topic :
K-Meleon Web Browser Forum
Now that J.G. has posted his own results with a the latest Goanna based build (to date of posting) and as the other day I was searching for some tests (my old bookmarked tests sites have disappeared), because I was wondering how would behave (certainly, as browsers became a vector attack, you wonder how fear you should feel nowadays when browsing), and this one looked... safer, I would say... than those I found (and didn't even try), I have given a try now.
Reliability of BrowserAudit tests... a joke, a bad joke, a very bad joke. I mean, you laugh, if you follow the rules, and that means you support what it expects, but if you don't, you cry instead.
With all my settings and security restrictions, and this means quite a few mostly related to scripts and subdocuments about third party loading and executions, K-meleon 75.0 gives.... in my main profile..., when should say passed, as couldn't accomplish them...:
Passed
62
Warning
209
Critical
81
Skipped
52
K-meleon 75.0, out of the box
Passed
347
Warning
24
Critical
6
Skipped
27
K-meleon 75.0 MY MAIN PROFILE, allowing more resource loading than by default
Passed
368
Warning
16
Critical
0
Skipped
20
Seamonkey 2.49.5, mostly default settings and quite newer than K-meleon 75.0 (Gecko 52 vs Gecko 31)
Passed
367
Warning
9
Critical
0
Skipped
28
Opera 12.02,
Passed
256
Warning
113
Critical
3
Skipped
32
Firefox: I don't have a firefox installation right now
Long story short is that the test relies on default settings, and default permissions, and even extended beyond default settings, and if you don't, you fail.
Also, it expects powerful computer and very reliable connection. If you have a low end/old PC or slow connection, most of the tests would be skipped. Also they expect JustInTime execution to load scripts quicker, so they skips if you don't.
But it's worth noting that Gecko 31 is obviously way behind the new security standards, but it is still safe, way too safe browser. Even though that, the old security and rendering standards (HTML/CSS compliant).
What I still miss from that test is actual attacks testing. Ok, they test vector attacks, mostly security policies (CORS) and cross site scripting (XSS), but that is not enough to find out vulnerabilities. It just tells if some security measures can be bypassed, but not if still there exists kown reliable attacks. I mean, if there are scripts that, actually, could leak data bypassing them, because a browser may fail in the security policies, but may not in the scripting success.
Edited 2 time(s). Last edit at 04/13/2020 03:17PM by JohnHell.
All which isn't K-Meleon related.
Reliability of BrowserAudit tests on old or fogotten browsers
Posted by:
JohnHell
Date: April 13, 2020 03:15PM
Now that J.G. has posted his own results with a the latest Goanna based build (to date of posting) and as the other day I was searching for some tests (my old bookmarked tests sites have disappeared), because I was wondering how would behave (certainly, as browsers became a vector attack, you wonder how fear you should feel nowadays when browsing), and this one looked... safer, I would say... than those I found (and didn't even try), I have given a try now.
Reliability of BrowserAudit tests... a joke, a bad joke, a very bad joke. I mean, you laugh, if you follow the rules, and that means you support what it expects, but if you don't, you cry instead.
With all my settings and security restrictions, and this means quite a few mostly related to scripts and subdocuments about third party loading and executions, K-meleon 75.0 gives.... in my main profile..., when should say passed, as couldn't accomplish them...:
Passed
62
Warning
209
Critical
81
Skipped
52
K-meleon 75.0, out of the box
Passed
347
Warning
24
Critical
6
Skipped
27
K-meleon 75.0 MY MAIN PROFILE, allowing more resource loading than by default
Passed
368
Warning
16
Critical
0
Skipped
20
Seamonkey 2.49.5, mostly default settings and quite newer than K-meleon 75.0 (Gecko 52 vs Gecko 31)
Passed
367
Warning
9
Critical
0
Skipped
28
Opera 12.02,
Passed
256
Warning
113
Critical
3
Skipped
32
Firefox: I don't have a firefox installation right now
Long story short is that the test relies on default settings, and default permissions, and even extended beyond default settings, and if you don't, you fail.
Also, it expects powerful computer and very reliable connection. If you have a low end/old PC or slow connection, most of the tests would be skipped. Also they expect JustInTime execution to load scripts quicker, so they skips if you don't.
But it's worth noting that Gecko 31 is obviously way behind the new security standards, but it is still safe, way too safe browser. Even though that, the old security and rendering standards (HTML/CSS compliant).
What I still miss from that test is actual attacks testing. Ok, they test vector attacks, mostly security policies (CORS) and cross site scripting (XSS), but that is not enough to find out vulnerabilities. It just tells if some security measures can be bypassed, but not if still there exists kown reliable attacks. I mean, if there are scripts that, actually, could leak data bypassing them, because a browser may fail in the security policies, but may not in the scripting success.
Edited 2 time(s). Last edit at 04/13/2020 03:17PM by JohnHell.
English