Web Browser Hardening (Privacy & Security) Resource List

CogitoErgoSum · #1 July 3rd, 2008, 11:42 AM

For those who are interested,

I have complied the following hardening(privacy & security) resource links below for the latest, most commonly used web browsers.

Internet Explorer 7:
http://blogs.msdn.com/ie/archive/2006/02/09/528963.aspx (Protected Mode in Vista IE7)
http://blogs.msdn.com/ie/archive/200...on-or-off.aspx (Protected Mode for IE7 in Windows Vista - Is it On or Off?)
http://content.zdnet.com/2346-12691_22-87874.html (Images: How to run Internet Explorer securely)
http://windowssecrets.com/comp/061026#story1 (IE 7 needs tweaking for safety)
http://searchwindowssecurity.techtar...241319,00.html (Tips on hardening and securing IE7)
http://searchsecuritychannel.techtar...244243,00.html (Configuring IE7 security: ActiveX, information bar, cross-domain protection)
http://searchsecurity.techtarget.com...945838,00.html (The dangers of ActiveX)
http://securitywatch.eweek.com/brows...xplorer_1.html (How to Disable ActiveX Controls in Internet Explorer)
http://antivirus.about.com/od/securi...t/ieiframe.htm (How To Disable IFrames in Internet Explorer)
http://www.darkreading.com/document.asp?doc_id=153221 (Free 'AxBan' Tool Kills Bad ActiveX Controls)
http://blog.washingtonpost.com/secur...l?nav=rss_blog (Taming Internet Explorer Browser Plug-Ins)
http://www.javacoolsoftware.com/spywareblaster.html (SpywareBlaster - IE kill-bits for identified or known malicious ActiveX controls and gives one the option to disable/enable "flash" within IE.)
http://www.bleepingcomputer.com/tuto...utorial49.html (Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware)
http://www.malwarehelp.org/how-to-ef...eblaster1.html (How to effectively prevent Malware using SpywareBlaster Part 1)
http://www.malwarehelp.org/how-to-ef...eblaster2.html (How to effectively prevent Malware using SpywareBlaster Part 2)
http://www.nirsoft.net/utils/axhelper.html (NirSoft ActiveXHelper - free utility that allows one to view and "selectively" disable any of the ActiveX components that are installed on one's computer.)
http://www.bbshare.com/ (No! Flash - free utility that blocks multimedia ads and spyware and gives one the option to disable/enable "Flash" in Microsoft Internet Explorer.);(*Note: Looking over the site it appears that this utility is not compatible with either Vista or IE 7. On the other hand, it would not hurt to try and see.)
http://antivirus.about.com/od/securi...t/ieaddons.htm (How To Disable Add-Ons in Internet Explorer)
http://antivirus.about.com/od/securitytips/ht/ac_ie.htm (How to Disable AutoComplete in Internet Explorer)
Internet Explorer 7 Plugin:
http://www.ie7pro.com/ (Free plugin that allows one to block ads, block flash, disable plugins among other things.)

FireFox 3:
http://content.zdnet.com/2346-12691_22-93923.html (Securing FireFox: How to avoid hacker attacks on Mozilla's browser)
http://www.squarefree.com/securitytips/users.html (Security tips for Firefox users)
http://www.security-hacks.com/2007/0...r-your-privacy (FireFox: 10 tips to bolster your privacy)
http://www.tssci-security.com/archiv...afer-browsing/ (8 Firefox extensions towards safer browsing)
http://ludios.org/firefox/securing/ (Securing Firefox 3)
http://ha.ckers.org/firefox_improvements.html (*Note: Please take note of the "Reduce what JavaScript can do in Firefox:" and "Greasemonkey:" sections. The "Greasemonkey:" section can be ignored if one is using Adblock and/or NoScript to disable iframes.)
http://antivirus.about.com/od/securi...leprefetch.htm (How To Disable Google / Firefox Prefetch)
http://antivirus.about.com/od/securi...ac_firefox.htm (How To How to Disable AutoComplete in Firefox)
http://www.hackosis.com/index.php/20...ty-extensions/ (Top 10 Firefox Security Extensions)

Opera 9.5:
http://www.opera.com/support/tutorials/security/shared/ (Security and Privacy on a Shared Computer)
http://www.wilderssecurity.com/showt...ighlight=opera (Hardening/Securing the Opera Web Browser)
http://my.opera.com/mp3geek/blog/ (Fanboy's Opera Stuff Blog)
http://www.fanboy.co.nz/adblock/ (Fanboy's AdBlock List for Opera)

Safari 3.1:
http://docs.info.apple.com/article.h...n/ibr1069.html (Protecting private information on shared computers)
http://www.apple.com/pro/tips/privacy_safari.html (Browse in Privacy with Safari)
http://blogs.howtogeek.com/mysticgee...g-with-safari/ (Private Browsing With Safari)
http://www.howtogeek.com/howto/apple...wsing-private/ (Make Your Safari Web Browsing Private)
http://osxhelp.com/mastering-safari-...ding-security/ (Mastering Safari, understanding security)
http://www.insanely-great.com/news.php?id=9054 (Safari private browsing not private)
http://uneasysilence.com/archive/2008/03/13061/ (If This Browser Could Talk: Safari Private Surfing *Not* So Private)
Safari Ad-Blocking or Privacy/Security Plugins:
http://www.culater.net/software/Pith...PithHelmet.php (PithHelmet)
http://safariadblock.sourceforge.net/ (Safari AdBlock)
http://haoli.dnsalias.com/Saft/index.html (Saft)

Miscellaneous:
http://www.us-cert.gov/reading_room/securing_browser/ (CERT - Securing Your Web Browser)
http://www.usenix.org/event/hotbots0...vos/provos.pdf (Google Security - "The Ghost in the Browser")
http://honeynet.org/papers/mws/KYE-M...eb_Servers.htm ("Know Your Enemy: Malicious Web Servers")
http://googleonlinesecurity.blogspot...int-to-us.html ("All Your iFrame Are Point to Us")
http://www.howtocreate.co.uk/crosssite.html#userprotect (How can users protect themselves against XSS)
http://chucklinart.com/protect_again...ng_XSS_attacks (Protect Against XSS Attacks)
http://www.thespanner.co.uk/2007/10/...urity-summary/ (IFrames security summary)
http://isc.sans.org/diary.html?storyid=3573 (Cyber Security Awareness Tip #28: Cookies)
http://isc.sans.org/diary.html?storyid=3733 (How to stop javascript from websites infecting clients)
http://www.explabs.com/test/ (Harmless test that helps determine whether one has I-frames enabled or disabled within one's web browser)

(*Note: Keep in mind that while implementing all of the the above hardening tips will result in a web browser that is substantially more secure, it "may" break some web functionality on a site-to-site basis. In any case, I suggest that one apply changes one-step-at-a-time or in a trial-and-error manner to achieve a more secure, but usable compromise.)

(*Note: Keep in mind that "some" of the privacy/security settings that I employ in Opera 9.5 can also be used in IE 7, FF 3 and Safari 3.1.)

Vulnerabilities and exploits notwithstanding, it is my opinion that the most secure web browsers are FF, Opera and Safari because they do not employ ActiveX functionality. Secondly, it is my opinion that FF and Opera are the "most" secure web browsers of the three because of the extensions or plug-ins available to the former and the ease of access to privacy/security settings and configurability and user scripts of the latter.

Lastly, based upon the body of evidence that I have read to date as well as the determination of commonly recurring exploits, I have concluded that disabling or blocking ActiveX, Adobe Flash Player, inline frames(Iframes) and JavaScript(JS) will effectively lessen the impact or negate the consequences of drive-by-downloads, zero-day/hour exploits or vulnerabilities and cross-site scripting(XSS) attacks. It has been my experience, at least in regards to Opera 9.5, that disabling JS breaks too much web functionality. A good compromise that I have found to close the gap in security between having JS disabled or "fully" enabled is to leave JS enabled and employ the use of Opera privacy/security specific user scripts along with disabling flash and iframes.

Peace & Gratitude,

CogitoErgoSum

cheater87 · #2 July 3rd, 2008, 12:56 PM

I wish safecache and safehistory were upgraded for FF3.

I don't like seeing them disabled because they are not compatible.

HURST · #3 July 3rd, 2008, 01:09 PM

Nice list Cogito!
Thanks a lot!

dw426 · #4 July 3rd, 2008, 01:37 PM

Quote:

Originally Posted by cheater87

I wish safecache and safehistory were upgraded for FF3.

I don't like seeing them disabled because they are not compatible.

Hey Cheater, check out the section labeled "Summary" here: http://ludios.org/firefox/securing/. Part of it says "Install Nightly Tester Tools and “Disable add-on compatibility checking” to install some older Firefox 2 add-ons." That might possibly be a solution to outdated add-ons, though I haven't tested this myself. The only thing I disagree with in some of these links regarding IE is setting options to "High", in my experience at least, it cripples IE a little too much for the websites I normally visit.

CogitoErgoSum · #5 July 3rd, 2008, 02:30 PM

Hello HURST,

You are very welcome.

Peace & Gratitude,

CogitoErgoSum

CogitoErgoSum · #6 July 3rd, 2008, 02:33 PM

For those who are interested,

I have added some notes and a disclaimer to my original post(#1).

Peace & Gratitude,

CogitoErgoSum

CogitoErgoSum · #7 July 3rd, 2008, 04:08 PM

For those who are interested,

I have added more links of interest to IE 7 in my original post(#1).

Peace & Gratitude,

CogitoErgoSum

Someone · #8 July 3rd, 2008, 10:10 PM

Hi

It's a great list!

Thanks very much

innerpeace · #9 July 3rd, 2008, 11:06 PM

Great work CogitoErgoSum

Looks like sticky material!

031 · #10 July 3rd, 2008, 11:29 PM

Quote:

Originally Posted by innerpeace

Great work CogitoErgoSum

Looks like sticky material!

Agreed.

CogitoErgoSum · #11 July 4th, 2008, 12:54 AM

Hello Someone, innerpeace & 031,

You are all very welcome. I very much appreciate all the compliments.

Peace & Gratitude,

CogitoErgoSum

NGRhodes · #12 July 4th, 2008, 06:57 AM

Hi,

Is there a guide suitable for people who already have made good effort to secure their operating systems, eg running limited user accounts, strict file permissions, general security holes patched/configured out etc?

CogitoErgoSum · #13 July 5th, 2008, 12:14 PM

For those who are interested,

I have added some new links to the IE 7 and FF 3 sections and comments to the closing paragraph in my original post(#1). Lastly, I have also provided some updates to the "Hardening/Securing the Opera Web Browser" link.

Peace & Gratitude,

CogitoErgoSum

tlu · #14 July 5th, 2008, 01:20 PM

A nice compilation of useful links

Just some additional remarks for Firefox users:

Security
- I recommend using the extension Firekeeper, an Intrusion Detection System. While it doesn't probably add much security if you make sure that you're always using the newest FF version with Noscript, Firekeeper may warn you that an already whitelisted site or a site you're planning to whitelist in Noscript is compromised. There are comprehensive blocklists available (mentioned in this posting) which are automatically updated. (Note: Ubuntu users should read this posting.)
- In view of the recent OpenSSL desaster (which affects ALL users of ANY operating system) I recommend the extension SSL Blacklist.
Privacy
- In order to forbid the so-called "Super Cookies" I recommend to add
  Code:
```
//Prevent "Super Cookies"
user_pref("dom.storage.enabled", false);
```
  to your user.js file (located in the FF profile folder).
- In order to prevent Javascript access to your cookies I recommend to add
  Code:
```
//Prevent Javascript to read cookies
user_pref("dom.disable_cookie_get",true);
//Prevent Javascript to create/change cookies
user_pref("dom.disable_cookie_set",true);
```
  to your user.js.
- In Adblock Plus I recommend (in addition to the "normal" filter lists, in particular EasyList+EasyElement, Cedric's List, Dr.Evil's List) to subscribe to the ABP Tracking Filter list.

CogitoErgoSum · #15 July 5th, 2008, 03:18 PM

Hello tlu,

You are very welcome. Thanks for your contribution to FireFox. I am pretty sure that FF users will appreciate your tips.

Peace & Gratitude,

CogitoErgoSum

HURST · #16 July 5th, 2008, 03:45 PM

Thanks Thomas.
Great input.

This thread is definitely Sticky material

CogitoErgoSum · #17 July 7th, 2008, 10:04 AM

For those who are interested,

I have added some new links to the IE 7, FF 3, Opera 9.5 and Safari 3.1 sections in my original post(#1). I have also posted some new tips in the "Hardening/Securing the Opera Web Browser" link.

Peace & Gratitude,

CogitoErgoSum

Someone · #18 July 7th, 2008, 10:50 PM

Quote:

Originally Posted by CogitoErgoSum

For those who are interested,

I have added some new links to the IE 7, FF 3, Opera 9.5 and Safari 3.1 sections in my original post(#1). I have also posted some new tips in the "Hardening/Securing the Opera Web Browser" link.

Peace & Gratitude,

CogitoErgoSum

Hi

Thanks again for more great links!

CogitoErgoSum · #19 July 8th, 2008, 08:06 AM

Quote:

Originally Posted by Someone

Hi

Thanks again for more great links!

Hello Someone,

You are very welcome.

Peace & Gratitude,

CogitoErgoSum

CogitoErgoSum · #20 July 8th, 2008, 01:28 PM

For those who are interested,

Online Web Browser Privacy/Security Tests:
http://gemal.dk/browserspy/ (gemal.dk - BrowserSpy)
http://privacy.net/analyze/ (Privacy.net Analyzer)
http://finjan.com/Content.aspx?id=577 (*Note: Please take note of the "Denial of Service (DoS)", "Remote Code Execution (RCE)", "Phishing", "Code Obfuscation of Malicious Script", "Java Applet" and "ActiveX Control" tests.)
http://www.hostile-code.com/htme/tsecurity.htm (Hostile Code - Security Test)
http://www.it-sec.de/vulchke.html (it.sec - Online Security Check)
http://www.jasons-toolbox.com/BrowserSecurity/ (Jason's Toolbox - Browser Security Tests)

Peace & Gratitude,

CogitoErgoSum

tlu · #21 July 8th, 2008, 01:42 PM

Quote:

Originally Posted by CogitoErgoSum

For those who are interested,
Online Web Browser Privacy/Security Tests:

Another good one: http://www.heise-online.co.uk/securi.../browsercheck/

CogitoErgoSum · #22 July 8th, 2008, 03:41 PM

Quote:

Originally Posted by tlu

Another good one: http://www.heise-online.co.uk/securi.../browsercheck/

Hello tlu,

Thanks for your contribution. Agreed, another good one.

Peace & Gratitude,

CogitoErgoSum

CogitoErgoSum · #23 July 13th, 2008, 09:36 AM

CogitoErgoSum · #24 July 13th, 2008, 11:08 AM

For those who are interested,

I have compiled a list of relevant links that pertain to cross-site scripting(XSS) and it's effects on web browser privacy/security and some solutions.

http://en.wikipedia.org/wiki/Cross-site_scripting
http://www.cgisecurity.com/articles/xss-faq.shtml (The Cross Site Scripting (XSS) FAQ)
http://www.cert.org/advisories/CA-2000-02.html (CERT® Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests)
http://www.windowsecurity.com/articl...d-Exploit.html (Cross Site Scripting – The Underestimated Exploit)
http://www.microsoft.com/technet/arc....mspx?mfr=true (What Customers Can Do to Protect Themselves from Cross-Site Scripting)
http://www.technicalinfo.net/papers/CSS.html (HTML Code Injection and Cross-site scripting)
http://www.preventing-xss.ovh.org/ (Preventing XSS Attacks)

Peace & Gratitude,

CogitoErgoSum

tlu · #25 July 13th, 2008, 11:27 AM

Quote:

Originally Posted by CogitoErgoSum

For those who are interested,

I have compiled a list of relevant links that pertain to cross-site scripting(XSS) and it's effects on web browser privacy/security and some solutions.

Another nice link is http://www.heise-online.co.uk/securi...features/84511

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search