Web Browser Hardening (Privacy & Security) Resource List

Discussion in 'other software & services' started by CogitoErgoSum, Jul 3, 2008.

Thread Status:
Not open for further replies.
  1. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    I have complied the following hardening(privacy & security) resource links below for the latest, most commonly used web browsers.

    Internet Explorer 7:
    http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx (Protected Mode in Vista IE7)
    http://blogs.msdn.com/ie/archive/20...for-ie7-in-windows-vista-is-it-on-or-off.aspx (Protected Mode for IE7 in Windows Vista - Is it On or Off?)
    http://content.zdnet.com/2346-12691_22-87874.html (Images: How to run Internet Explorer securely)
    http://windowssecrets.com/comp/061026#story1 (IE 7 needs tweaking for safety)
    http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1241319,00.html (Tips on hardening and securing IE7)
    http://searchsecuritychannel.techtarget.com/generic/0,295582,sid97_gci1244243,00.html (Configuring IE7 security: ActiveX, information bar, cross-domain protection)
    http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci945838,00.html (The dangers of ActiveX)
    http://securitywatch.eweek.com/browsers/how_to_disable_activex_controls_in_internet_explorer_1.html (How to Disable ActiveX Controls in Internet Explorer)
    http://antivirus.about.com/od/securitytips/ht/ieiframe.htm (How To Disable IFrames in Internet Explorer)
    http://www.darkreading.com/document.asp?doc_id=153221 (Free 'AxBan' Tool Kills Bad ActiveX Controls)
    http://blog.washingtonpost.com/secu...g_internet_explorer_brows_1.html?nav=rss_blog (Taming Internet Explorer Browser Plug-Ins)
    http://www.javacoolsoftware.com/spywareblaster.html (SpywareBlaster - IE kill-bits for identified or known malicious ActiveX controls and gives one the option to disable/enable "flash" within IE.)
    http://www.bleepingcomputer.com/tutorials/tutorial49.html (Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware)
    http://www.malwarehelp.org/how-to-effectively-prevent-malware-spywareblaster1.html (How to effectively prevent Malware using SpywareBlaster Part 1)
    http://www.malwarehelp.org/how-to-effectively-prevent-malware-spywareblaster2.html (How to effectively prevent Malware using SpywareBlaster Part 2)
    http://www.nirsoft.net/utils/axhelper.html (NirSoft ActiveXHelper - free utility that allows one to view and "selectively" disable any of the ActiveX components that are installed on one's computer.)
    http://www.bbshare.com/ (No! Flash - free utility that blocks multimedia ads and spyware and gives one the option to disable/enable "Flash" in Microsoft Internet Explorer.);(*Note: Looking over the site it appears that this utility is not compatible with either Vista or IE 7. On the other hand, it would not hurt to try and see.)
    http://antivirus.about.com/od/securitytips/ht/ieaddons.htm (How To Disable Add-Ons in Internet Explorer)
    http://antivirus.about.com/od/securitytips/ht/ac_ie.htm (How to Disable AutoComplete in Internet Explorer)
    Internet Explorer 7 Plugin:
    http://www.ie7pro.com/ (Free plugin that allows one to block ads, block flash, disable plugins among other things.)

    FireFox 3:
    http://content.zdnet.com/2346-12691_22-93923.html (Securing FireFox: How to avoid hacker attacks on Mozilla's browser)
    http://www.squarefree.com/securitytips/users.html (Security tips for Firefox users)
    http://www.security-hacks.com/2007/06/08/firefox-10-tips-to-bolster-your-privacy (FireFox: 10 tips to bolster your privacy)
    http://www.tssci-security.com/archives/2007/08/15/8-firefox-extensions-towards-safer-browsing/ (8 Firefox extensions towards safer browsing)
    http://ludios.org/firefox/securing/ (Securing Firefox 3)
    http://ha.ckers.org/firefox_improvements.html (*Note: Please take note of the "Reduce what JavaScript can do in Firefox:" and "Greasemonkey:" sections. The "Greasemonkey:" section can be ignored if one is using Adblock and/or NoScript to disable iframes.)
    http://antivirus.about.com/od/securitytips/ht/disableprefetch.htm (How To Disable Google / Firefox Prefetch)
    http://antivirus.about.com/od/securitytips/ht/ac_firefox.htm (How To How to Disable AutoComplete in Firefox)
    http://www.hackosis.com/index.php/2007/10/24/securitytop-firefox-security-extensions/ (Top 10 Firefox Security Extensions)

    Opera 9.5:
    http://www.opera.com/support/tutorials/security/shared/ (Security and Privacy on a Shared Computer)
    https://www.wilderssecurity.com/showthread.php?t=211761&highlight=opera (Hardening/Securing the Opera Web Browser)
    http://my.opera.com/mp3geek/blog/ (Fanboy's Opera Stuff Blog)
    http://www.fanboy.co.nz/adblock/ (Fanboy's AdBlock List for Opera)

    Safari 3.1:
    http://docs.info.apple.com/article.html?path=Safari/2.0/en/ibr1069.html (Protecting private information on shared computers)
    http://www.apple.com/pro/tips/privacy_safari.html (Browse in Privacy with Safari)
    http://blogs.howtogeek.com/mysticgeek/2007/06/13/private-browsing-with-safari/ (Private Browsing With Safari)
    http://www.howtogeek.com/howto/apple/make-your-safari-web-browsing-private/ (Make Your Safari Web Browsing Private)
    http://osxhelp.com/mastering-safari-understanding-security/ (Mastering Safari, understanding security)
    http://www.insanely-great.com/news.php?id=9054 (Safari private browsing not private)
    http://uneasysilence.com/archive/2008/03/13061/ (If This Browser Could Talk: Safari Private Surfing *Not* So Private)
    Safari Ad-Blocking or Privacy/Security Plugins:
    http://www.culater.net/software/PithHelmet/PithHelmet.php (PithHelmet)
    http://safariadblock.sourceforge.net/ (Safari AdBlock)
    http://haoli.dnsalias.com/Saft/index.html (Saft)

    Miscellaneous:
    http://www.us-cert.gov/reading_room/securing_browser/ (CERT - Securing Your Web Browser)
    http://www.usenix.org/event/hotbots07/tech/full_papers/provos/provos.pdf (Google Security - "The Ghost in the Browser")
    http://honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm ("Know Your Enemy: Malicious Web Servers")
    http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html ("All Your iFrame Are Point to Us")
    http://www.howtocreate.co.uk/crosssite.html#userprotect (How can users protect themselves against XSS)
    http://chucklinart.com/protect_against_cross_site_scripting_XSS_attacks (Protect Against XSS Attacks)
    http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/ (IFrames security summary)
    http://isc.sans.org/diary.html?storyid=3573 (Cyber Security Awareness Tip #28: Cookies)
    http://isc.sans.org/diary.html?storyid=3733 (How to stop javascript from websites infecting clients)
    http://www.explabs.com/test/ (Harmless test that helps determine whether one has I-frames enabled or disabled within one's web browser)

    (*Note: Keep in mind that while implementing all of the the above hardening tips will result in a web browser that is substantially more secure, it "may" break some web functionality on a site-to-site basis. In any case, I suggest that one apply changes one-step-at-a-time or in a trial-and-error manner to achieve a more secure, but usable compromise.)

    (*Note: Keep in mind that "some" of the privacy/security settings that I employ in Opera 9.5 can also be used in IE 7, FF 3 and Safari 3.1.)

    Vulnerabilities and exploits notwithstanding, it is my opinion that the most secure web browsers are FF, Opera and Safari because they do not employ ActiveX functionality. Secondly, it is my opinion that FF and Opera are the "most" secure web browsers of the three because of the extensions or plug-ins available to the former and the ease of access to privacy/security settings and configurability and user scripts of the latter.

    Lastly, based upon the body of evidence that I have read to date as well as the determination of commonly recurring exploits, I have concluded that disabling or blocking ActiveX, Adobe Flash Player, inline frames(Iframes) and JavaScript(JS) will effectively lessen the impact or negate the consequences of drive-by-downloads, zero-day/hour exploits or vulnerabilities and cross-site scripting(XSS) attacks. It has been my experience, at least in regards to Opera 9.5, that disabling JS breaks too much web functionality. A good compromise that I have found to close the gap in security between having JS disabled or "fully" enabled is to leave JS enabled and employ the use of Opera privacy/security specific user scripts along with disabling flash and iframes.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jul 8, 2008
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,289
    Location:
    Pennsylvania.
    Re: Web Browser Hardening(Privacy & Security) Resource List

    I wish safecache and safehistory were upgraded for FF3. :( I don't like seeing them disabled because they are not compatible.
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Nice list Cogito!
    Thanks a lot!
     
    Last edited: Jul 3, 2008
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Hey Cheater, check out the section labeled "Summary" here: http://ludios.org/firefox/securing/. Part of it says "Install Nightly Tester Tools and “Disable add-on compatibility checking” to install some older Firefox 2 add-ons." That might possibly be a solution to outdated add-ons, though I haven't tested this myself. The only thing I disagree with in some of these links regarding IE is setting options to "High", in my experience at least, it cripples IE a little too much for the websites I normally visit.
     
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Hello HURST,

    You are very welcome.


    Peace & Gratitude,

    CogitoErgoSum
     
  6. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Re: Web Browser Hardening(Privacy & Security) Resource List

    For those who are interested,

    I have added some notes and a disclaimer to my original post(#1).


    Peace & Gratitude,

    CogitoErgoSum
     
  7. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Re: Web Browser Hardening(Privacy & Security) Resource List

    For those who are interested,

    I have added more links of interest to IE 7 in my original post(#1).


    Peace & Gratitude,

    CogitoErgoSum
     
  8. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Hi

    It's a great list!

    Thanks very much
     
  9. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Great work CogitoErgoSum :thumb:

    Looks like sticky material!
     
  10. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    187
    Location:
    Bangladesh
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Agreed.
     
  11. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Hello Someone, innerpeace & 031,

    You are all very welcome. I very much appreciate all the compliments.


    Peace & Gratitude,

    CogitoErgoSum
     
  12. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Hi,

    Is there a guide suitable for people who already have made good effort to secure their operating systems, eg running limited user accounts, strict file permissions, general security holes patched/configured out etc?
     
  13. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Re: Web Browser Hardening(Privacy & Security) Resource List

    For those who are interested,

    I have added some new links to the IE 7 and FF 3 sections and comments to the closing paragraph in my original post(#1). Lastly, I have also provided some updates to the "Hardening/Securing the Opera Web Browser" link.


    Peace & Gratitude,

    CogitoErgoSum
     
  14. tlu

    tlu Guest

    Re: Web Browser Hardening(Privacy & Security) Resource List

    A nice compilation of useful links :thumb:

    Just some additional remarks for Firefox users:
    1. Security
      • I recommend using the extension Firekeeper, an Intrusion Detection System. While it doesn't probably add much security if you make sure that you're always using the newest FF version with Noscript, Firekeeper may warn you that an already whitelisted site or a site you're planning to whitelist in Noscript is compromised. There are comprehensive blocklists available (mentioned in this posting) which are automatically updated. (Note: Ubuntu users should read this posting.)
      • In view of the recent OpenSSL desaster (which affects ALL users of ANY operating system) I recommend the extension SSL Blacklist.
    2. Privacy
      • In order to forbid the so-called "Super Cookies" I recommend to add
        Code:
        //Prevent "Super Cookies"
        user_pref("dom.storage.enabled", false);
        to your user.js file (located in the FF profile folder).
      • In order to prevent Javascript access to your cookies I recommend to add
        Code:
        //Prevent Javascript to read cookies
        user_pref("dom.disable_cookie_get",true);
        //Prevent Javascript to create/change cookies
        user_pref("dom.disable_cookie_set",true);
        to your user.js.
      • In Adblock Plus I recommend (in addition to the "normal" filter lists, in particular EasyList+EasyElement, Cedric's List, Dr.Evil's List) to subscribe to the ABP Tracking Filter list.
     
  15. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Hello tlu,

    You are very welcome. Thanks for your contribution to FireFox. I am pretty sure that FF users will appreciate your tips.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jul 5, 2008
  16. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Thanks Thomas.
    Great input.

    This thread is definitely Sticky material :thumb:
     
  17. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Re: Web Browser Hardening(Privacy & Security) Resource List

    For those who are interested,

    I have added some new links to the IE 7, FF 3, Opera 9.5 and Safari 3.1 sections in my original post(#1). I have also posted some new tips in the "Hardening/Securing the Opera Web Browser" link.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jul 7, 2008
  18. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Hi

    Thanks again for more great links!
     
  19. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Re: Web Browser Hardening(Privacy & Security) Resource List

    Hello Someone,

    You are very welcome.


    Peace & Gratitude,

    CogitoErgoSum
     
  20. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Re: Web Browser Hardening(Privacy & Security) Resource List

    For those who are interested,

    Online Web Browser Privacy/Security Tests:
    http://gemal.dk/browserspy/ (gemal.dk - BrowserSpy)
    http://privacy.net/analyze/ (Privacy.net Analyzer)
    http://finjan.com/Content.aspx?id=577 (*Note: Please take note of the "Denial of Service (DoS)", "Remote Code Execution (RCE)", "Phishing", "Code Obfuscation of Malicious Script", "Java Applet" and "ActiveX Control" tests.)
    http://www.hostile-code.com/htme/tsecurity.htm (Hostile Code - Security Test)
    http://www.it-sec.de/vulchke.html (it.sec - Online Security Check)
    http://www.jasons-toolbox.com/BrowserSecurity/ (Jason's Toolbox - Browser Security Tests)


    Peace & Gratitude,

    CogitoErgoSum
     
  21. tlu

    tlu Guest

  22. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  23. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Last edited: Jul 15, 2008
  24. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    I have compiled a list of relevant links that pertain to cross-site scripting(XSS) and it's effects on web browser privacy/security and some solutions.

    http://en.wikipedia.org/wiki/Cross-site_scripting
    http://www.cgisecurity.com/articles/xss-faq.shtml (The Cross Site Scripting (XSS) FAQ)
    http://www.cert.org/advisories/CA-2000-02.html (CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests)
    http://www.windowsecurity.com/articles/Cross-Site-Scripting-Underestimated-Exploit.html (Cross Site Scripting – The Underestimated Exploit)
    http://www.microsoft.com/technet/archive/security/news/crsstqs.mspx?mfr=true (What Customers Can Do to Protect Themselves from Cross-Site Scripting)
    http://www.technicalinfo.net/papers/CSS.html (HTML Code Injection and Cross-site scripting)
    http://www.preventing-xss.ovh.org/ (Preventing XSS Attacks)


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jul 15, 2008
  25. tlu

    tlu Guest

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.