Web Browser Hardening (Privacy & Security) revived

In July of 2008 CogitoErgoSum started and ran a thread called
Web Browser Hardening (Privacy & Security) Resource List

Here is a concluding comment in the first post from that thread.

Since 2008 much has changed, we have Chrome, IE9/10 FF 20+, sandboxie, tracker lists, private browsing, safe sites features, major changes in Googles privacy practices new threats etc.

I am currently running IE 9 holding back on 10 and resenting IE's tracking keystrokes, clipboard access and screen scrapes.

1) How do I harden IE9, 10 etc where is the best reference for that?

2) How do I choose a secure yet functional browser?

3) Is there some issue with Chrome they keep trying to install with other products, don't like that behaviour.

 

1)
Aimed at businesses:
- Microsoft Security Compliance Manager

Aimed at consumers:
- Change security and privacy settings in Internet Explorer 9
- Change security and privacy settings in Internet Explorer 10


2)
Check reviews and benchmarks. The most complete one (involving the 4 major browsers for Windows - IE, Chrome, Firefox and Opera) seems to be this. Take in mind that results may vary in your machine, so you may need to do some testing to verify. As for specific features, these will need your testing as well.


3)
At least bundling Chrome gives software vendors some money. Especially important for those that give software away for free.

 

Thanks! Looks like I have some work to do! On Chrome is there some reasons to use it? I have heard it is faster. But what about security?

 

I couldn't possibly explain all the techie details about Chrome security, I'll have to leave that to the more knowledgeable folks. However, Chrome uses a variety of methods to be safer than the other choices. It uses full sandboxing, true multi-process/sandboxing (where, say, Firefox simply separates plugin processes, in Chrome every process is separated from each other and sandboxed I believe), and, though maybe it's not a huge boon to security it runs a built in Flash that Google alone is responsible for keeping up, along with built in PDF reading. Both, of course, are also sandboxed.

 

Browser Scope has some interesting tests.

http://www.browserscope.org/security/test

postMessage test - Checks whether the browser supports the HTML 5 cross-document messaging API that enables secure communication between origins.

JSON.parse test - Checks whether the browser natively supports the JSON.parse API. Native JSON parsing is safer than using eval.

toStaticHTML test - Checks whether the browser supports the toStaticHTML API for sanitizing untrusted inputs.

httpOnly cookies test - Checks whether the browser supports the httpOnly cookie attribute, which is a mitigation for cross-site scripting attacks.

X-Frame-Options test - Checks whether the browser supports the X-Frame-Options API, which prevents clickjacking attacks by restricting how pages may be framed.

X-Content-Type-Options test - Checks whether the browser supports the X-Content-Type-Options API, which prevents MIME sniffing.

Block reflected XSS test - Checks whether the browser blocks execution of JavaScript code that appears in the request URL. Browser-based XSS filters mitigate some classes of cross-site scripting attacks.

Block location spoofing test - The global "location" object can be used by JavaScript to determine what page it is executing on. It is used by Flash Player, Google AJAX API, and many bookmarklets. Browsers should block JavaScript rootkits that try to overwrite the location object.

Block JSON hijacking test - Documents encoded in JSON format can be read across domains if the browser supports a mutable Array constructor that is called when array literals are encountered. JSON hijacking is also possible if the browser supports a mutable setter function for the Object prototype that is called when object literals are encountered.

Block XSS in CSS test - Script in stylesheets can be used by attackers to evade server-side XSS filters. Support for CSS expressions has been discontinued in IE8 standards mode and XBL in stylesheets has been restricted to same-origin code in separate files in Firefox. We check to make sure that script injected into a site via stylesheet does not execute.

Sandbox attribute test - Checks whether the browser supports the sandbox attribute, which enables a set of extra restrictions on any content hosted by the iframe.

Origin header test - Checks whether the browser supports the Origin header, which is a mitigation for cross-site request forgery (CSRF) attacks.

Strict Transport Security test - Checks whether the browser supports Strict Transport Security, which enables web sites to declare themselves accessible only via secure connections.

Block cross-origin CSS attacks test - By injecting CSS selectors into the target site, attackers can steal confidential data across domains using style sheet import, even without JavaScript. Browsers should correctly determine the content type when loading cross-origin CSS resources.

Cross Origin Resource Sharing test - Checks whether the browser supports the APIs for making cross origin requests.

Block visited link sniffing test - Most browsers display visited links with a :visited CSS pseudo class. A user's browsing history can be sniffed by testing the visited links by checking this CSS class. We test whether browsers restrict access to the :visited pseudo class.

Content Security Policy test - Checks whether the browser supports Content Security Policy, which reduces the XSS attack surfaces for websites that wish to opt-in.


Chrome 24 fails at:
toStaticHTML test

IE 10 fails at:
Origin header test
Strict Transport Security test
Content Security Policy test

Firefox 20 fails at:
toStaticHTML test
X-Content-Type-Options test
Block reflected XSS test
Origin header test



Now, of course, another very important side of browser security is protection against social engineering. This needs completely different tests and methodologies. NSS Labs seems to offer the most comprehensive reports in these aspects:

https://www.nsslabs.com/reports/categories/test-reports/browser-security

Average phishing URL catch rate:

Chrome 21 - 94%

IE 10 - 92%

Firefox 15 - 90%


Malware block rate:

IE 10:
App Rep = 10.6%
URL reputation blocking by the browser = 88.5%
Total = 99.1%

Chrome 21:
Google’s Malicious Download Protection = 65.8%
URL reputation = 4.5%
Total = 70.4%

Firefox 15:
No download protection
Total = 4.2%


You have the data, now you can make an informed decision.

 

Regarding vulnerabilities, neither Google, nor Mozilla and Microsoft leave disclosed vulnerabilities open for long anymore in their latest offers, so I think reaction time doesn't need too much attention. Of course, that's only valid if your browsers are updated as soon as possible, after security updates are released, that is.

Another aspect that might need consideration is "how far" they go with their SDL. Microsoft goes very far, I don't know too much about Google and Mozilla in this aspect (despite the fact that the source code of their browsers is open).

 

Both Microsoft and Mozilla block vulnerable plugins (including vulnerable flash versions) from working - they release updates for that.

Not sure how Google does that. Chrome includes a sandboxed Flash, sure, but does Google release updates to block vulnerable plugins such as an outdated Java plugin from working, for example?

Flash for IE is sandboxed, btw. Also, IE 10 on Windows 8 includes Flash as a platform feature (built-in). Windows 8 comes with a default PDF reader which is also sandboxed.

Firefox lacks built-in Flash (but Flash for Firefox is sandboxed when running in Vista or later), but now comes with built-in PDF reader (but this one isn't sandboxed).

 

Is the flash in Chrome completely independent and not synchronized with the Adobe flash in any way?

 

You guys are great! Very knowledgable and detailed. This notion of the hardened browser is central to www security.

I run IE 9 in sandboxie so does that mean that I match chrome whose claim to fame seems to be it is self sandboxed?

No mention clearly about the IE's use of active x and FF not making FF the browser of choice in 2008. Has this changed or do I manage site privledges via the FW?

 

It doesn't match Chrome (and Chrome can work with Sandboxie as well).

BTW, any reason for not upgrading to IE 10? I can't find an area where IE 10 is worse than IE 9 at the moment.

Not relevant anymore. Several things changed.

Maybe it's an option. With IE, you can use the Security zones too.

 

FWIW, somewhere I read of a change related to SmartScreen URL checking. The impression I got was that before this change only URLs that IE proper attempts to load could/would be sent to Microsoft, and after this change any URL loaded by the WebBrowser Control (and/or underlying components) could/would be sent to Microsoft.

I think I encountered the description when reading something about IE10, which at the time was only available for Win8. I bookmarked it for future more careful study but don't have my bookmarks handy ATM. Does this change ring any bells?

If you don't mind your URLs being sent to Microsoft for checking, the more the merrier I suppose. However, I remember thinking at the time that such a change would expose even more URLs to Microsoft such as those that were loaded by applications that utilize Microsoft components/APIs for web requests.

 

I don't have any concerns regarding this. Aside from encryption, their database doesn't include correlation between the relevant data for their services and personally identifiable data (which is periodically deleted too).

 

It's the same Flash as everyone gets. Google just bundles it with Chrome instead of it being a separate plugin for users to worry about. Now, the PPAPI version with Chrome is a bit stronger that I'm aware of. It's more secure, but prone to more issues than "standard" Flash or "NPAPI". Chrome also gets new Flash versions before the other browser Flash plugins do. At least that is how it was in the past I believe.

 

In fact Chrome does block outdated Java. As far as I'm aware, outdated plugins period are blocked (could be wrong there). I know that IE sandboxes Flash as well, but I don't think it's as strong, plus, Active-X..yeah.

 

which is why Mr Maone (NoScript developer) is 10 Euros richer today.

if you are protected from drive-by download then the only thing to worry about is to scan what is downloaded with an on-demand scanner.
Linux users don't have to worry about this step as they get their software from repositories.

... and of course social engineering and phishing.
but that's in large part up to the user to close that hole.

 

I made a correction to one of my previous posts.

Flash for Firefox (in Vista or later) is sandboxed as well (since Flash 11.3 which was released some months ago).*

*See: http://blogs.adobe.com/asset/2012/06/inside-flash-player-protected-mode-for-firefox.html

 

Not quite. You're thinking of "plugin-container" probably. That is not the same. That simply allows Flash to crash and not kill the entire page (and rarely works in FF actually). It's a stability measure, not security.

 

Nope, I wasn't thinking about plugin-container (which is older). I was referring to this: http://blogs.adobe.com/asset/2012/06/inside-flash-player-protected-mode-for-firefox.html

 

And btw, Firefox Flash sandbox only works in Windows Vista or later.

 

Not necessarily - they can get from other sources as well.

Also, "trusted" repositories can be compromised, as well as the mirrors.

Finally, malware scanners for linux are rudimentary due to lack of interest from the industry.

Even submitting samples of linux software for analysis by industry analysts is harder and less efficient - the test environments are usually centered at other platforms (Windows, Mac, Android).

 

viruses are really not the thing one has to worry about on Linux.

but there's always a concern with social engineering/phishing and MITM attacks and such, of course.
which is why having a secure browser is/should be the first line of defense.

 

Maybe true for ITW malware (because of different popularity of the targets).

But not in a broader sense.

One of the reasons I prefer Windows is the fact that the security industry tries to put its "big eyes" in everything made for it.

Software made for Linux (not to be confused with Linux itself) seems to get less tests. Open source means nothing if there is few qualified people looking at it and testing.

 

Your personal beliefs are duly noted, and yes, I am aware of some Microsoft material that could lead some people to have such beliefs. I'll just leave this appetizer here... http://windows.microsoft.com/en-US/internet-explorer/ie10-win7-privacy-statement, SmartScreen Filter section. That simple glimpse into the technical workings should be enough to make tech savvy interested parties explore further.

 

Yeah, and pretty much the same thing happens with all the other solutions, be them from Microsoft, Google, or whatever. They need some data in order to know what needs to be blocked. This data isn't personally identifiable and, more important: can't be legally used for such purpose.

 

I stand corrected I, however, don't think it is still as safe as it is within the very restricted confines of Chrome (which admittedly isn't perfect either).