Doesn't firefox provides the same protection? I am not dismissing chrome I am just curious if the malware/phishing protection is the same. I thought they both used the same API.
Not sure about their malware/phishing blocking. (IIRC it wasn't on by default in firefox in the last version I used.)
Firefox has many security issues Chrome doesn't have (tab isolation by process is #1, but "devotes a lot more effort/resources to security" is generally true, too -- Chrome just has vastly more resources than Firefox, and spends them on a smaller number of platforms).
Chrome = HSTS. Cert pinning. Dealing with bad SSL cert failures correctly (i.e. not letting users simply click to accept...)
Also, Chrome led the way on auto-update of browsers, which is one of the biggest improvements in the real world. Chrome also got good security wins through their own PDF handler and Flash, vs. the Adobe stuff. I think Chrome also did "click to run" by default on more other plugins (Java) earlier, although I haven't payed as much attention to that (client-side java is basically an abomination now, generally.)
Most of those are not actually software security features, but rather policy differences between Mozilla and Google. Those that aren't policy decision, are either not security features, or is features not implemented first in chrome (through chrome was first using it in default installation). Chrome get a half point regarding tab isolation.
Tab isolation by process is something between a security feature and a vulnerability mitigation feature, through I would likely call it a vulnerability mitigation feature. It doesn't do anything to prevent exploits, but it does prevent further exploits once a vulnerability has been exploited. Still its a nice thing to have (like insurance after the house has burned down) and is something Firefox should implement.
HSTS is nice, and now included by default in most browsers (chrome, firefox, opera). Personally, using noscript, security aware firefox people have had HSTS before firefox 2 was release. That is 2 years before chrome existed. It also exist in https-everywhere.
Regarding Cert pinning, I can't say I am a fan. Its a whitelist approach to security, where Google decide who is important enough to be privileged for improved security. Chrome was aware about the scaling issue from the begining, and has improved the situation by the Cert pinning extension RFC draft. Once/if it get finalized and more security professionals go through it, it will be interesting to see how it scales, what corner cases there is, and if the caching effect will come back and haunt people.
As for the rest... Chrome led the way of auto-update without first informing the user, while Firefox poped up a request for update. In real world security, this is an improvement because the user can't be trusted with deciding if the program shall update. Google has acknowledge that this only a useful feature on windows/Apple, and has this disabled on linux, assuming because a linux user can be trusted with the decision about updating. This is not a software difference between firefox and chrome, but rather a policy difference between Google and Mozilla.
And to comment the last features, PDF and Flash. Google has not written their own Flash handler. They have however bundled it with chrome and thus made sure its updated. This is something Firefox simply can't do thanks to license costs, which mean its mostly a difference between Google and Mozilla as organizations rather than a software improvement of Chrome. I am not sure if the same is true regarding PDF.
Yes, Firefox uses Google's Safe Browsing blacklist of malware and phishing sites. So the "credit" probably goes as much to the safe browsing team at Google as those working on Chrome (or Firefox).
