Discussion in 'other software & services' started by Escalader, Apr 13, 2013.
Ok, thanks Mman, that's pretty much what I thought....
You're welcome. That's one of the things that make me forgive Chrome when it acts goofy. It basically does all the updating work for me. I just love that to pieces, lol.
As the owner of this thread please lets not stray into linux vs windows at this time. Or my av is better than your av.
I am only interested in browser hardening.
Thanks so far for all the contributions.
You bet. I'm not near the expert some of you are, but I've been at this a while and have learned a lot. Browser hardening isn't something you need to take a lot of time and effort to do, nor does it require a truckload of 3rd party solutions to do it. In fact, I'd say doing that opens up more possible attack doors. Chrome cuts a good amount of work out of browser hardening. Say what you will about Google and data, but I don't know of anyone who has complained yet that Chrome security is too little.
What we need to keep in mind though is that no matter what we do to "shore up" browser defenses on the outside, inside is what counts and that's where it's in the hands of no one but the vendors. So sure, it's kind of interesting to talk about all the ways we personally can lower our attack chances. But, if the code inside is junk or flawed, it's like putting lipstick on a pig.
I like this article by forum member Chiron and it covers all browsers
How to Harden Your Browser Against Malware and Privacy Concerns
That article states,
But doesn't describe how it tracks you.
Thanks adrenaline! Great read!
I downloaded the whole article and have it in word document.
May I respectfully ask the posters here to read this document and then review their suggestions and post back where they agree and disagree and why.
My own tilt is shifting to global no script and the whitelisting idea for those sites I want to allow (bank etc).
The other new idea for me (maybe not others) is the alternate search engine that does not track or report back to the mother ship.
I still don't understand why IE9 inside sandboxie (as I am as I post this) isn't just as good as chrome with it's sandbox. with sandboxie I can run any program in the box.
Maybe so rich.
BUT why do we care it tracks us is the point and how to not be tracked is my concern on privacy.
Hungry Man would probably know the answer to that, if he happens to read this thread... Or maybe PM him..
Attack I can deal with it's loss of privacy vs search effectiveness I fear.
I have a better opinion of chrome now than when the thread begins.
Please say more clearly for me anyway what you mean by inside and outside.
Are you saying open code "inside" is worse or better from a security point of view. I'm thinking open code being open can be exploited by smart bad guys.
Why am I wrong ?
I PM'd him inviting him to comment. Good idea
Allow me... https://www.wilderssecurity.com/showpost.php?p=2215334&postcount=118
Read it and only grasped 50% of it. What was the bottom line on this question?
I'm in IE9 with Active x and smartscreen filter ON all the while inside sandboxie.
IF i go to chrome are you saying I can/should drop sandboxie? maybe dumb question only proving I caught 50%
Sorry, my bad. I forgot to mention to read from https://www.wilderssecurity.com/showpost.php?p=2215311&postcount=114 onwards, between Windows_Security (former Kees195 and me.
Anyway, point being that if I had to make a choice, which I did, I'd rather use Internet Explorer Protected Mode/Enhanced Protected Mode or Chromium's sandbox.
The choice to me is simple, really, as I mentioned in the other thread.
Internet Explorer Protected Mode: parent process at medium integrity level <-> child processes at low integrity level.
Internet Explorer Enhanced Protected Mode: parent process at medium integrity level <-> child processes at appcontainer integrity level
To the best of my knowledge, there's no easy way, and preferable not to tweak IE's integrity levels.
Chromium/Chrome sandbox, normally is as follows: parent process at medium integrity level <-> child processes at untrusted integrity level.
Easily tweaked to be low integrity level <-> untrusted integrity level
In my book, it's preferable to have that over Sandboxie's way, which is: Sandboxie processes running at system integrity level <-> sandboxed processes at untrusted integrity level.
To make it short:
Internet Explorer (Enhanced) Protected Mode: medium <-> low/appcontainer
Chromium: medium/low <-> untrusted
Sandboxie *: system <-> untrusted
* Only version 4 has sandboxed processes running in Untrusted IL. Previous versions have the same permissions has the user.
From higher privileges to lowest privileges: System, High, Medium, Low, Untrusted, AppContainer (Windows 8 ).
Hope this ain't more confusing. lol
If you can/should drop Sandboxie for IE/Chrome, it's up to you to assess the risks involved in such scenarios. I'm by no means saying that anyone should drop something over something.
I'm sorry, Escalader, but a statement such the article makes without details is just not sufficient!
If I'm not told how that tracking works, I don't know how to avoid it (without using a different Search Engine, which may not be necessary if other options are available.)
Taking statements at face value in these articles without being able to corroborate/verify would force me to take actions without understanding everything involved. In my view, these things border on being unnecessarily alarmist.
My understanding is that a Cookie is required in order for a Search Engine to track. Now, there may be something else involved that I'm not aware of, but the article gives no information.
A while back, a thread discussed Google's combining all of its services (easier to track users) but that requires setting up a Google account, such as G-mail, and setting a cookie. In this case, Google has your email address and possibly the home address for billing, in the account. But no one is forced to have a G-mail account.
I don't understand all of the hoopla about Search Engine Tracking. Assuming a Cookie is used for tracking, it's a user option (an Opt-in configuration), isn't it?
I wonder if people are as concerned about other types of tracking we are faced with in life:
Library Card: if I have one under my real name, real address, the Library knows my reading habits
Rewards Card: More and more retail stores are offering this. It tracks your purchasing habits at that store. There is nothing nefarious about this -- it helps their marketing. But it is still "tracking." Are people as concerned about this as Search Engine Tracking? (A library or reward card is a "Cookie.")
On line purchasing, Accounts on line: If I have an account at Amazon.com, it has my purchasing history. With its cookie, it also records my browsing history on the site.
And much more, such as the IRS, Social Security, State Motor Vehicle Agency (bad driving record!), Insurance Companies, Smart Utility Meters... Tracking unlimited!
One more, just from the other day: I had to contact my cable company's tech support about a connecting issue. On the phone, the technician said, "I see you rebooted your modem about 10 minutes ago." I wonder what else is logged (tracked) at his end!
Anyway, I await more information about how Search Engine Tracking works (if more than just a cookie is involved!)
And don't forget WebBugs, those tiny 1 Pixel clear images that can track you, by invisibly downloading it to your Browser/Comp.
Also, even if you're on a different www but it includes ANY image/s linked from another www, the other www then knows your IP too.
If your IP is static then it's easy for ANY www to build up a database of numbers of visits & times/dates etc.
What I mean is that the code used to build the browser is something users can do nothing about nor have control over. We can try to lessen the risk that code gets exploited on our own machines by using 3rd party solutions, "being careful" and what have you, but that bad code is still there underneath it all. They are band-aid solutions, that's it. They really only work because most of the "bad stuff" out there is aimed at those with no band-aids at all and will move on to another sucker if they come up against anything that requires lifting a finger.
I'm aware of all of that...
But I want to focus on the Search Engine Tracking comment made in the article that's been cited.
Got the PM. Sandboxie is a "whole process" sandbox - the rules are the sum of all rules required fro all parts of the program.
Chrome's sandbox is designed around its architecture, for one process there is one sandbox design, for another process another sandbox design. Much better for implementing least privilege.
Chrome's sandbox is based on two things:
1) Having the broker process be a small codebase; easier to vet, easier to secure. m00n touches on this - Chrome's broker is medium, Sandboxie's is high.
2) Having the sandboxing be done (and enforced) by the operating system/ kernel.
I could write a lot about this. Sandboxie has its own 'pluses' but I think it's all been covered in a lot of detail throughout my time here.
OK, just checking, as it's impossible for me to remember Everything you know I wonder if you have taken those tests though ?
I agree though, often articles don't explain the ins & outs enough, or at All
Thanks. I found these statements:
Don't be sorry! I'm glad you made these points. FWIW (not much)
1 I agree with the need for verification of opinions/statements without facts
2 I agree we accept tracking from the library, store cards etc etc
3) You deserve more info on search engines
My thread here is a learning / research thread for me and anybody else IF we stay on topic.
I just blocked via FW a refer off a PayPal image when I clicked show image.
That is real evidence for me.
In my "role" as learner here why can't I get the benefits of both sanboxie by using chrome within sandboxie? Am I nuts? Don't answer that!!!
There ya go
Separate names with a comma.