Web Browser Hardening (Privacy & Security) revived

Discussion in 'other software & services' started by Escalader, Apr 13, 2013.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    In July of 2008 CogitoErgoSum started and ran a thread called
    Web Browser Hardening (Privacy & Security) Resource List

    Here is a concluding comment in the first post from that thread.

    Since 2008 much has changed, we have Chrome, IE9/10 FF 20+, sandboxie, tracker lists, private browsing, safe sites features, major changes in Googles privacy practices new threats etc.

    I am currently running IE 9 holding back on 10 and resenting IE's tracking keystrokes, clipboard access and screen scrapes.

    1) How do I harden IE9, 10 etc where is the best reference for that?

    2) How do I choose a secure yet functional browser?

    3) Is there some issue with Chrome they keep trying to install with other products, don't like that behaviour.
     
  2. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    1)
    Aimed at businesses:
    - Microsoft Security Compliance Manager

    Aimed at consumers:
    - Change security and privacy settings in Internet Explorer 9
    - Change security and privacy settings in Internet Explorer 10


    2)
    Check reviews and benchmarks. The most complete one (involving the 4 major browsers for Windows - IE, Chrome, Firefox and Opera) seems to be this. Take in mind that results may vary in your machine, so you may need to do some testing to verify. As for specific features, these will need your testing as well.


    3)
    At least bundling Chrome gives software vendors some money. Especially important for those that give software away for free.
     
    Last edited: Apr 13, 2013
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thanks! Looks like I have some work to do! On Chrome is there some reasons to use it? I have heard it is faster. But what about security?
     
  4. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I couldn't possibly explain all the techie details about Chrome security, I'll have to leave that to the more knowledgeable folks. However, Chrome uses a variety of methods to be safer than the other choices. It uses full sandboxing, true multi-process/sandboxing (where, say, Firefox simply separates plugin processes, in Chrome every process is separated from each other and sandboxed I believe), and, though maybe it's not a huge boon to security it runs a built in Flash that Google alone is responsible for keeping up, along with built in PDF reading. Both, of course, are also sandboxed.
     
  5. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Browser Scope has some interesting tests.

    http://www.browserscope.org/security/test

    postMessage test - Checks whether the browser supports the HTML 5 cross-document messaging API that enables secure communication between origins.

    JSON.parse test - Checks whether the browser natively supports the JSON.parse API. Native JSON parsing is safer than using eval.

    toStaticHTML test - Checks whether the browser supports the toStaticHTML API for sanitizing untrusted inputs.

    httpOnly cookies test - Checks whether the browser supports the httpOnly cookie attribute, which is a mitigation for cross-site scripting attacks.

    X-Frame-Options test - Checks whether the browser supports the X-Frame-Options API, which prevents clickjacking attacks by restricting how pages may be framed.

    X-Content-Type-Options test - Checks whether the browser supports the X-Content-Type-Options API, which prevents MIME sniffing.

    Block reflected XSS test - Checks whether the browser blocks execution of JavaScript code that appears in the request URL. Browser-based XSS filters mitigate some classes of cross-site scripting attacks.

    Block location spoofing test - The global "location" object can be used by JavaScript to determine what page it is executing on. It is used by Flash Player, Google AJAX API, and many bookmarklets. Browsers should block JavaScript rootkits that try to overwrite the location object.

    Block JSON hijacking test - Documents encoded in JSON format can be read across domains if the browser supports a mutable Array constructor that is called when array literals are encountered. JSON hijacking is also possible if the browser supports a mutable setter function for the Object prototype that is called when object literals are encountered.

    Block XSS in CSS test - Script in stylesheets can be used by attackers to evade server-side XSS filters. Support for CSS expressions has been discontinued in IE8 standards mode and XBL in stylesheets has been restricted to same-origin code in separate files in Firefox. We check to make sure that script injected into a site via stylesheet does not execute.

    Sandbox attribute test - Checks whether the browser supports the sandbox attribute, which enables a set of extra restrictions on any content hosted by the iframe.

    Origin header test - Checks whether the browser supports the Origin header, which is a mitigation for cross-site request forgery (CSRF) attacks.

    Strict Transport Security test - Checks whether the browser supports Strict Transport Security, which enables web sites to declare themselves accessible only via secure connections.

    Block cross-origin CSS attacks test - By injecting CSS selectors into the target site, attackers can steal confidential data across domains using style sheet import, even without JavaScript. Browsers should correctly determine the content type when loading cross-origin CSS resources.

    Cross Origin Resource Sharing test - Checks whether the browser supports the APIs for making cross origin requests.

    Block visited link sniffing test - Most browsers display visited links with a :visited CSS pseudo class. A user's browsing history can be sniffed by testing the visited links by checking this CSS class. We test whether browsers restrict access to the :visited pseudo class.

    Content Security Policy test - Checks whether the browser supports Content Security Policy, which reduces the XSS attack surfaces for websites that wish to opt-in.


    Chrome 24 fails at:
    toStaticHTML test

    IE 10 fails at:
    Origin header test
    Strict Transport Security test
    Content Security Policy test

    Firefox 20 fails at:
    toStaticHTML test
    X-Content-Type-Options test
    Block reflected XSS test
    Origin header test



    Now, of course, another very important side of browser security is protection against social engineering. This needs completely different tests and methodologies. NSS Labs seems to offer the most comprehensive reports in these aspects:

    https://www.nsslabs.com/reports/categories/test-reports/browser-security

    Average phishing URL catch rate:

    Chrome 21 - 94%

    IE 10 - 92%

    Firefox 15 - 90%


    Malware block rate:

    IE 10:
    App Rep = 10.6%
    URL reputation blocking by the browser = 88.5%
    Total = 99.1%

    Chrome 21:
    Google’s Malicious Download Protection = 65.8%
    URL reputation = 4.5%
    Total = 70.4%

    Firefox 15:
    No download protection
    Total = 4.2%


    You have the data, now you can make an informed decision.
     
    Last edited: Apr 13, 2013
  6. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Regarding vulnerabilities, neither Google, nor Mozilla and Microsoft leave disclosed vulnerabilities open for long anymore in their latest offers, so I think reaction time doesn't need too much attention. Of course, that's only valid if your browsers are updated as soon as possible, after security updates are released, that is.

    Another aspect that might need consideration is "how far" they go with their SDL. Microsoft goes very far, I don't know too much about Google and Mozilla in this aspect (despite the fact that the source code of their browsers is open).
     
    Last edited: Apr 13, 2013
  7. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Both Microsoft and Mozilla block vulnerable plugins (including vulnerable flash versions) from working - they release updates for that.

    Not sure how Google does that. Chrome includes a sandboxed Flash, sure, but does Google release updates to block vulnerable plugins such as an outdated Java plugin from working, for example?

    Flash for IE is sandboxed, btw. Also, IE 10 on Windows 8 includes Flash as a platform feature (built-in). Windows 8 comes with a default PDF reader which is also sandboxed.

    Firefox lacks built-in Flash (but Flash for Firefox is sandboxed when running in Vista or later), but now comes with built-in PDF reader (but this one isn't sandboxed).
     
    Last edited: Apr 14, 2013
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Is the flash in Chrome completely independent and not synchronized with the Adobe flash in any way?
     
  9. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    You guys are great! Very knowledgable and detailed. This notion of the hardened browser is central to www security.

    I run IE 9 in sandboxie so does that mean that I match chrome whose claim to fame seems to be it is self sandboxed?

    No mention clearly about the IE's use of active x and FF not making FF the browser of choice in 2008. Has this changed or do I manage site privledges via the FW?
     
  10. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    It doesn't match Chrome (and Chrome can work with Sandboxie as well).

    BTW, any reason for not upgrading to IE 10? I can't find an area where IE 10 is worse than IE 9 at the moment.

    Not relevant anymore. Several things changed.

    Maybe it's an option. With IE, you can use the Security zones too.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    FWIW, somewhere I read of a change related to SmartScreen URL checking. The impression I got was that before this change only URLs that IE proper attempts to load could/would be sent to Microsoft, and after this change any URL loaded by the WebBrowser Control (and/or underlying components) could/would be sent to Microsoft.

    I think I encountered the description when reading something about IE10, which at the time was only available for Win8. I bookmarked it for future more careful study but don't have my bookmarks handy ATM. Does this change ring any bells?

    If you don't mind your URLs being sent to Microsoft for checking, the more the merrier I suppose. However, I remember thinking at the time that such a change would expose even more URLs to Microsoft such as those that were loaded by applications that utilize Microsoft components/APIs for web requests.
     
  12. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    I don't have any concerns regarding this. Aside from encryption, their database doesn't include correlation between the relevant data for their services and personally identifiable data (which is periodically deleted too).
     
    Last edited: Apr 14, 2013
  13. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    It's the same Flash as everyone gets. Google just bundles it with Chrome instead of it being a separate plugin for users to worry about. Now, the PPAPI version with Chrome is a bit stronger that I'm aware of. It's more secure, but prone to more issues than "standard" Flash or "NPAPI". Chrome also gets new Flash versions before the other browser Flash plugins do. At least that is how it was in the past I believe.
     
  14. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    In fact Chrome does block outdated Java. As far as I'm aware, outdated plugins period are blocked (could be wrong there). I know that IE sandboxes Flash as well, but I don't think it's as strong, plus, Active-X..yeah.
     
  15. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    which is why Mr Maone (NoScript developer) is 10 Euros richer today. :)

    if you are protected from drive-by download then the only thing to worry about is to scan what is downloaded with an on-demand scanner.
    Linux users don't have to worry about this step as they get their software from repositories.

    ... and of course social engineering and phishing.
    but that's in large part up to the user to close that hole.
     
    Last edited: Apr 14, 2013
  16. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Last edited: Apr 14, 2013
  17. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Not quite. You're thinking of "plugin-container" probably. That is not the same. That simply allows Flash to crash and not kill the entire page (and rarely works in FF actually). It's a stability measure, not security.
     
  18. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
  19. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    And btw, Firefox Flash sandbox only works in Windows Vista or later.
     
    Last edited: Apr 14, 2013
  20. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Not necessarily - they can get from other sources as well.

    Also, "trusted" repositories can be compromised, as well as the mirrors.

    Finally, malware scanners for linux are rudimentary due to lack of interest from the industry.

    Even submitting samples of linux software for analysis by industry analysts is harder and less efficient - the test environments are usually centered at other platforms (Windows, Mac, Android).
     
    Last edited: Apr 14, 2013
  21. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    viruses are really not the thing one has to worry about on Linux.

    but there's always a concern with social engineering/phishing and MITM attacks and such, of course.
    which is why having a secure browser is/should be the first line of defense.
     
  22. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Maybe true for ITW malware (because of different popularity of the targets).

    But not in a broader sense.

    One of the reasons I prefer Windows is the fact that the security industry tries to put its "big eyes" in everything made for it.

    Software made for Linux (not to be confused with Linux itself) seems to get less tests. Open source means nothing if there is few qualified people looking at it and testing.
     
  23. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    Your personal beliefs are duly noted, and yes, I am aware of some Microsoft material that could lead some people to have such beliefs. I'll just leave this appetizer here... http://windows.microsoft.com/en-US/internet-explorer/ie10-win7-privacy-statement, SmartScreen Filter section. That simple glimpse into the technical workings should be enough to make tech savvy interested parties explore further.
     
  24. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Yeah, and pretty much the same thing happens with all the other solutions, be them from Microsoft, Google, or whatever. They need some data in order to know what needs to be blocked. This data isn't personally identifiable and, more important: can't be legally used for such purpose.
     
  25. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
Loading...
Thread Status:
Not open for further replies.