NSS Labs Accuses Google of Funding Inaccurate Report into Firefox Security

Researchers have accused Google of gaming the methodology and timing of a recent report into browser security, funded by the company, which ranked Firefox bottom of the pile.

Security researchers at NSS Labs have claimed that the methodologies used in the investigation by Accuvant, which was funded by Google and included the company's own Chrome browser, were flawed and painted a dark and inaccurate image of Firefox's browser security.

Accusing the company of ignoring important security features in Firefox and other browsers, including frame poisoning in Firefox, the report, entitled "The Browser Wars Just Got Ugly," asks some difficult questions of the investigative party and Google's part in the report.

"The JIT hardening analysis failed to give ample credit to the more proactive technologies employed by IE9, which happened to not be present in Chrome," NSS claims.

"Accuvant disabled highly relevant portions of non-Google browsers' protection without noting the impact on the overall results," the researchers add. "This error in testing resulted in an erroneously negative assessment of the browsers' protection capabilities, since some browsers will only block malware during or after download and before execution.

By utilising malware sites garnered exclusively from free public lists, the malware sample set was highly skewed in Google's favor. Justifying not using high-quality, professional malware feeds because Microsoft and/or Google may or may not subscribe to them is highly suspect."

NSS also claimed that the timing of the report was suspicious, being released as Google refused to renew its traditional agreement with Firefox creator The Mozilla Foundation, which makes Google the default search provider in Firefox in exchange for advertising revenue that makes up more than 80 per cent of the Foundation's overall income.

Speaking to Computerworld, NSS chief technology officer Vikram Phatak explained: "This is a vendor-funded paper, and in these cases the vendor is going to drive the methodology, which appears to be the case here."

Google has not responded to a request for comment on NSS's claims.