I would argue that the most important metric for browser security is the amount of exploitable bugs (and their severity) and the time they stay unpatched. You can find some statistics about that e.g. on the Secunia website ( Statistics for IE8 ^[1])

The encryption algorithms are usually not the weak point, the implementation of the functionality with the inevitable bugs is it. A list of security features means nothing, if there are exploitable bugs in the application.

Another important point is the market share of your browser. The most common browsers and operating systems are more likely to be attacked. Using an uncommon browser does protect somewhat from untargeted attacks.

It is also essential to keep your browser up to date, any older browser is vulnerable. That gives an advantage to browsers that update silently like Chrome.

Judging by this Article: http://arstechnica.com/security/news/2009/03/chrome-is-the-only-browser-left-standing-in-pwn2own-contest.ars
Its google Chrome that stands above the rest at the moment.

Browser vendors often make strong claims about their responsiveness to vulnerability reports and their ability to preemptively prevent exploits. Security is becoming one of the most significant fronts in the new round of browser wars, but it's also arguably one of the hardest aspects of software to measure or quantify.

A recent contest at CanSecWest, an event that brings together some of the most skilled experts in the security community, has demonstrated that the three most popular browser are susceptible to security bugs despite the vigilance and engineering prowess of their creators. Firefox, Safari, and Internet Explorer were all exploited during the Pwn2Own competition that took place at the conference. Google's Chrome browser, however, was the only one left standing—a victory that security researchers attribute to its innovative sandbox feature.

However I personally prefer this statement:

Browser security tips
Instead of accusing one browser of being weaker than another, real-world testing has revealed that users should pick a browser that has the security features and functionality they desire, and implement the following suggestions.

•Don't log on as admin or root when running an internet browser (or use UAC on Windows Vista, SU on Linux, etc.).

•Make sure the browser, OS and all add-ons and plug-ins are fully patched.

•Don't be tricked into running malicious code.

•If unexpectedly prompted to install third-party software while browsing a site, open another tab and download the requested software directly from the software vendor's website.

•Be careful about which add-ons and plug-ins you use. Many aren't secure, many are very insecure, and some are actually malware in disguise.

Source: http://www.pcadvisor.co.uk/news/index.cfm?newsid=110482&pn=5 ^[1]

A good answer to this question is given by Which browser is the most secure, is that the question? ^[1]

Better (and more useful) advice than “Which browser is most secure?” would be “How can I best secure my browser of choice?”

Browsers are more or less secure depending on what you are measuring:

1. The father of your friend values encryption algorithms.
   Unfortunately, that is not much of a protection against exploits.
2. The GIAC Advisory Board values the number of live threats intercepted by the browser's reputation system: IE8 85%, Safari 29%, Firefox 3.5 29%, Chrome 4 17%, Opera 10 less than 1%.
3. CanSecWest ^[2] values how long can a browser resist the same hacker. The order from best to worst is : Chrome, Firefox, IE8, Safari.
4. PCWorld ^[3] votes for Chrome, quoting the opinion of expert Dai Zovi, because of its sandbox.
5. Symantec ^[4] votes for Opera, because of its shortest window of exposure before exploits were fixed.

As I agree that the real question is what effort one is willing to invest in order to secure the browser, I personally vote for Firefox, because of the number of available security-oriented add-ons that make this task much easier.

Rather then mentioning the list of security features, consider to reverse the question. How many posibilities are there to allow hackers to get in?

• If parsing the URL fails, could the Internet zone be mistaken for Local zone? (yes)
• If ActiveX security fails (which it did in the past), can you start a random system control? (yes)
• If the HTML parser fails (which it did in the past), what memory area can you exploit?
• If the file type detection fails (which it did in the past), what happens when you put a <script> tag in a GIF comment? (whoops)
• If the CSS expression(..) allows evaluation of JavaScript in markup, when happens with [font color=...] code in UBBC forum markup? ;-)

Most normal powerusers see the limitations like "download protector" and "xss filter". The bigger, and more security features something has, the better it seems. A complex security system seems like a good idea.

Hackers reverse the question. They don't look at limitations, they look at possibilities.

• With a complex and large security system, could it be that someone made a mistake in there?
• If the XSS filter alters the page, can I abuse that?
• If there are many "poweruser" features there, can they be leveraged to exploits?
• If there are is a password protection, can I confuse it with weird input?

In this retrospect, MSIE scores pretty low on security.

For example Chrome/Firefox never allow accessing local content through "security zones". They never ever give access to system components (ActiveX). They reject web content when a MIME type is missing (no auto detection!). Furthermore, no powerfeatures like expression(..) in CSS or overly smart recovery that by accident bypasses security.

Here is a very objective opinion based on personal experience: I'm a system admin for a mid-size company, and before that I worked for a 90,000 -employee multinational - also doing system administration, plus some jobs on the side, and all the friends and relatives that I have to support.

It's not the browser it's the USER. It doesn't matter weather you use Chrome, Opera, Firefox, IE, Safari, etc. If the user doesn't follow basic secure browsing procedures - it doesn't matter which browser they use. If they are stupid / inexperienced enough to go on a phishing site and download spyware / trojan / virus - browser won't matter! Also while IE9 or IE8 may introduce and provide all of these features, most users tend to ignore & disable them. Also IE require for running of ActiveX and other crap - that be definition IS ONE BIG SECURITY HOLE.

Having said all of the above, here are the criteria that affect browser's security assuming we are dealing with an educated user, who won't mess things up:

1) Active development - namely New threat/exploit to update-time ratio
2) Obscurity - the more obscure is the browsers - the less likely it be targeted by hackers who are looking for exploits. Number of threats is much larger for IE then let's say Opera ( the are market shares are also incomparable)
3) OS Platform - since most malicious activity / research is directed towards Windows, Konqueror is a lot more secure then IE, simply because of the nature of the beast. 4) Availability of third-party plugins such as ad blockers.
5) Integration with anitvirus software - for instance AVG toolbar.
6) Availability and support of modern encryption mechanisms

Based on that criteria, here is my personal preference from best to worst
1) Firefox
2) Chrome
3) Opera
4) Safari
5) IE

I'm assuming we were talking about windows OS - since it's not that big of an issue for other OSes, but for MacOSx:

1) Firefox
2) Camino
3) Chrome
4) Opera
5) Safari

Linux:
Firefox

I agree with the comment identifying the use of the term "secure" here.

The most secure Web browser? What does that mean?

Was the argument about personal security on the Internet - or say, communication security between a browser and a given Web site?

Surely, things like TLS 1.2 and Elliptic Curve Cryptology, etc. all go into making a secure communication session. Since other browsers may not take advantage of these technologies [yet], and since all uber-technical-types want to measure the length of their member using their own ruler, then given the metrics chosen by those in the security field, IE might win the #1 Cryptology Awards. And that's fine for them.

Ratcheting up your specs with the latest versions of high-profile encryption puts the focus of security solely on the communication channel - and not the whole experience. It's like wearing a bright spiffy ribbons-and-gold adorned uniform with lots of stars on your collar. It has little to do with your character. It has a lot to do with how you want others to see you. And that's self-promotion which counts for nothing.

But surely, if you want to know which browser has the highest chance of getting you nipped by some malware infected Web site on the Windows platform, IE wins hands down.

Lack of openness, sloppy, business motivated design, just the pure bulk of it along with Microsoft's on-again off-again attention to it, and their insistence to jam it full of wildly dangerous and powerful OS level language hooks, leaving that on top of the worlds most poorly written OS in the first place, pretty much screws them into last position every single time. But get a bunch of security professionals in an auditorium, and get a bunch of marketing types to tell them about all you're doing with the latest elements of security and bah-dah-boom, you got hundreds or thousands of converts all talking the same talk and promoting your product over those who's credentials and performance are better. They got religion. Good for them.

The real truth is - the most secure Web browser is not about communication channels any more than banning printer cartridges on airplanes will make our homeland more secure. In fact, that's the whole problem right there. We get hit in the head by a baseball and ban baseballs. Baseballs aren't the problem. It's about building systems that let the least amount of malice through, and IE ain't it.

The DoD and Homeland Security need iron-clad communication channels and safe browsing environments - at both ends. But they're not using a Web browser to shop shoes or scan their favorite blogs which may be laden with [software] bombs and malice.

If on the other hand, you want the worlds most secure browsing experience on Windows, use Google Chrome with a few simple, openly available extensions (adblock, flashblock, etc.) and enjoy yourself.

And if you read the industry reports and comparisons to come to your own conclusions, make sure you depreciate those by authors who stand to benefit by your choice.

To me there are no most secure web browser, if a hacker wants to hack it will surely be cracked. There can only be with tighter securities to makes things difficult for hackers but this will result in lesser access where developers will have alot of limitation developing the plugins/extension. Take for example,

Its either you want to make end-user more happy or tighten up the securities to inconvience to the end-user.

IE is mainly the target because of large number of user-based and hackers always default to Microsoft for some reasons...

"most secure" cannot be boiled down to crypto-systems unless there is a checkbox for disable http/require https for all sites/verify full certificate chains fail closed. If this option were available and it was still usable he might be right by virtue of the fact that you would only go to "signed" sites and any issues should be trackable. The problem isn't really IE as much any more as it is plug-ins and DEP/ASLR opt-outs. On that note did you know that FF opts out of apparmor policy by default on ubuntu boxes? So that problem is not uniquely IE or windows. As to most secure, I think it depends a lot more on configuration than browser platform. I would look to more standards compliant browsers than IE though. There is a tendency for there to be an IE way to do it and an everyone else way that works on webkit based etc. I prefer FF just for the consistency across platforms and the plugins i use(firebug,torbutton,noscript,adblock,greasemonkey,etc), but don't have a problem with opera or safari. They are all rendering webpages more consistently and are early supporting the developing html5 spec pretty well. The functionalities in the html5 spec may let us get away from flash(imho evil - note:actionscript can let you bypass some memory protections too even if they are present).

Real hackers tend to disagree with your friend's conclusion:

http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010

The most secure browser is Google Chrome. Ask him about how Internet Explorer's sandboxing and process isolation works in comparison to Chrome's. Hint: Internet Explorer's process isolation isn't really process isolation as it just launches a few more iexplore processes instead of one per tab. There is a huge list, but basically your friend is a) trolling or b) not technically able to answer the question properly.

Listing security features like ECC and TLS 1.2 is meaningless considering the number of web sites out there that use them (which is very close to zero). This is telling us about these links in the chain which are made of the strongest steel available, and not mentioning those links over there made of tinfoil.

That's an impressive alphabet soup of encryption protocols. If you're sending sensitive data over HTTPS, those are great to have.

But at the end of the day, there are still remote exploits for IE, from time to time.

I would say the most "secure" browser is the one that doesn't compromise your computer's security on non-SSL pages. When I'm typing a credit card number into a web form (even over SSL), I know I'm taking a risk, however minor. When I'm just clicking around, I tend to assume that's 'safe', and I think most other people do, too.

And for that, my money is on Grails ^[1], which, AFAICT, has never had a single remote exploit in its entire 15-year history.

Granted, a lot of that is due to being unpopular and not supporting much in the way of modern web standards. But those were never conditions of the title: just "most secure browser".