Questions about which operating system is more secure or fastest makes no sense

Published on 2022-03-18.

Reddit, misc. forums and mailing lists are filled with questions and debates about whether operating system A is more secure than operating system B, or whether operating system A is faster than operating system B. Such questions and debates are not only completely useless, but they are also somewhat childish.

Both operating system security and operating system performance are dependent upon so many different factors that you very rarely can compare one operating system to another in any general manner.

If I have made my very own tiny operating system that nobody in the world knows anything about and hence there doesn't exists a single exploit anywhere on the planet that targets a security vulnerability in my operating system, then in that very moment in time, my tiny operating system is one of the most secure operating system's in the world. Until someone actually discovers a security vulnerability that can be exploited, and until someone sits down and writes an exploit, no one can penetrate my operating system.

The more popular an operating system is, the more people will be motivated to finding security bugs. Sometimes a security bug can go exploited for years without anyone knowing. Once an exploitable bug is found, automated attacks becomes more easy to make, and systems ends up being attacked randomly.

How security is handled and developed across the different exiting operating systems are very diverse. Few programmers (even kernel developers) understands security. It's because security is difficult and it's very easy to make mistakes.

Linux Torvalds is famous for not caring much about security and very few implementations in the Linux kernel is developed with security in mind. That is why, in the world of the Linux kernel and Linux distributions, security is mostly something you have to "add on" or patch, which is the wrong approach to security. Security is not something you add-on, it has to be included at all stages of development and implementation, right from the beginning.

In the past, the Linux kernel project could get away with a careless attitude because almost every exploit was written against Microsoft Windows and Microsoft applications, but since the Linux kernel has become as popular as it is, that has changed.

Another extremely important issue relating to security is whether or not a project believes in being "secure by default". Being secure by default doesn't just mean that no services are enabled by default, rather it means that not only are the default configuration settings the most secure settings possible, but it also means that the entire programming culture and procedure regarding producing software is deeply rooted in the attitude of making secure software. Secure software is not only software that doesn't do anything more than it is supposed to do, it is also software that undergoes rigorous and continues security audits, it is software that are developed with security in mind from the start, and it is software that is developed following specific principles in order to avoid common errors and security pitfalls. This means that the KISS principle is at the center of secure software development.

As an example of an operating system that is being developed with security as one of the primary goals is OpenBSD. OpenBSD stands apart from all the other popular operating systems in the world, including FreeBSD, DragonFly BSD, NetBSD and all the various Linux distributions.

Please note that Linux is not an operating system, it's just a kernel. A Linux distribution is a collection of software bundled together into a operating system. A Linux distribution consists of the Linux kernel, the GNU tool chain, typically a package manager (used to install third party software), and some other components (depending on usage). Each Linux distribution is a separate project. Some distributions are developed by companies, such as Clear Linux being developed by Intel. Other distributions are developed by volunteers, such as the Arch Linux distribution, or the Debian distribution. Some projects consist of thousands of contributors while others can be a single man project. Contrary to the many Linux distributions, the various BSD projects are complete operating systems (not components of different projects put together), each developed by a single organization.

Asking what operating system is the most secure, is the wrong question. It depends on your use case. What you need to ask instead is a specific question, like: For my specific use case, which operating system fulfills the requirements I have and at the same time provide me with the necessary options, solutions and security policies for me to keep it as secure as possible.

The most secure operating system in general might be OpenBSD, but if my use case is gaming on Steam with an NVIDIA graphics card, then that wouldn't work because OpenBSD doesn't have support for NVIDIA graphics cards. Hence, I need to first assess my use case and then determine how much security matters for that specific use case, and then determine what operating system is best suited to fulfill my needs. At the same time I need to consider combining multiple options. If my use case is gaming on Steam, and I choose either Microsoft Windows or some Linux distribution, I would still benefit a lot from building an OpenBSD firewall and put that between my local network and the public Internet.

When it comes to matters of performance, then almost every single performance benchmark you can find on the Internet is useless. Especially the ones on Phoronix like this one.

All operating systems has tuneable "knobs". If I want to understand how a specific operating system performs I have to know and understand which "knobs" to fiddle with and then put that specific operating system under a test that resembles - as close as possible - the real problems I am facing. Then I have to combine the results with other important factors and features such as security, adaptability, maintainability, timely updates, and everything else that is important to my project.

Why does all these things matter? Well, because there is a huge difference between e.g. exposing a specific operating system to the Internet versus exposing it to a private company intranet. There is also a huge difference between e.g. serving only static HTML files versus having a system that requires user login, mail service, and a database with sensitive information. Sometimes when performance matters a lot, security matters less - it all depends on the specific use case.