Web Browser Hardening (Privacy & Security) revived

Discussion in 'other software & services' started by Escalader, Apr 13, 2013.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,976
    Ok, thanks Mman, that's pretty much what I thought....
     
  2. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    You're welcome. That's one of the things that make me forgive Chrome when it acts goofy. It basically does all the updating work for me. I just love that to pieces, lol.
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Hi Thread:

    As the owner of this thread please lets not stray into linux vs windows at this time. Or my av is better than your av.:D

    I am only interested in browser hardening. :cool:


    Thanks so far for all the contributions.:thumb:
     
  4. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    You bet. I'm not near the expert some of you are, but I've been at this a while and have learned a lot. Browser hardening isn't something you need to take a lot of time and effort to do, nor does it require a truckload of 3rd party solutions to do it. In fact, I'd say doing that opens up more possible attack doors. Chrome cuts a good amount of work out of browser hardening. Say what you will about Google and data, but I don't know of anyone who has complained yet that Chrome security is too little.

    What we need to keep in mind though is that no matter what we do to "shore up" browser defenses on the outside, inside is what counts and that's where it's in the hands of no one but the vendors. So sure, it's kind of interesting to talk about all the ways we personally can lower our attack chances. But, if the code inside is junk or flawed, it's like putting lipstick on a pig.
     
  5. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    That article states,

    But doesn't describe how it tracks you.


    ----
    rich
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Thanks adrenaline! Great read!

    I downloaded the whole article and have it in word document.

    May I respectfully ask the posters here to read this document and then review their suggestions and post back where they agree and disagree and why.:eek:

    My own tilt is shifting to global no script and the whitelisting idea for those sites I want to allow (bank etc). :doubt:

    The other new idea for me (maybe not others) is the alternate search engine that does not track or report back to the mother ship. :cool:

    I still don't understand why IE9 inside sandboxie (as I am as I post this) isn't just as good as chrome with it's sandbox. with sandboxie I can run any program in the box. :D
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Maybe so rich.:thumb:

    BUT why do we care it tracks us is the point and how to not be tracked is my concern on privacy.:ouch:
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,976
    Hungry Man would probably know the answer to that, if he happens to read this thread... Or maybe PM him..
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Attack I can deal with it's loss of privacy vs search effectiveness I fear.

    I have a better opinion of chrome now than when the thread begins.

    Please say more clearly for me anyway what you mean by inside and outside.

    Are you saying open code "inside" is worse or better from a security point of view. I'm thinking open code being open can be exploited by smart bad guys.

    Why am I wrong ?
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    I PM'd him inviting him to comment. Good idea:D
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Hi M!

    Read it and only grasped 50% of it. What was the bottom line on this question?

    I'm in IE9 with Active x and smartscreen filter ON all the while inside sandboxie.

    IF i go to chrome are you saying I can/should drop sandboxie? maybe dumb question only proving I caught 50%:oops:
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Sorry, my bad. I forgot to mention to read from https://www.wilderssecurity.com/showpost.php?p=2215311&postcount=114 onwards, between Windows_Security (former Kees195:cool: and me.

    Anyway, point being that if I had to make a choice, which I did, I'd rather use Internet Explorer Protected Mode/Enhanced Protected Mode or Chromium's sandbox.

    The choice to me is simple, really, as I mentioned in the other thread.

    Internet Explorer Protected Mode: parent process at medium integrity level <-> child processes at low integrity level.
    Internet Explorer Enhanced Protected Mode: parent process at medium integrity level <-> child processes at appcontainer integrity level

    To the best of my knowledge, there's no easy way, and preferable not to tweak IE's integrity levels.

    Chromium/Chrome sandbox, normally is as follows: parent process at medium integrity level <-> child processes at untrusted integrity level.

    Easily tweaked to be low integrity level <-> untrusted integrity level

    In my book, it's preferable to have that over Sandboxie's way, which is: Sandboxie processes running at system integrity level <-> sandboxed processes at untrusted integrity level.

    To make it short:

    Internet Explorer (Enhanced) Protected Mode: medium <-> low/appcontainer
    Chromium: medium/low <-> untrusted
    Sandboxie *: system <-> untrusted

    * Only version 4 has sandboxed processes running in Untrusted IL. Previous versions have the same permissions has the user.

    From higher privileges to lowest privileges: System, High, Medium, Low, Untrusted, AppContainer (Windows 8 ).

    Hope this ain't more confusing. lol

    -edit-

    If you can/should drop Sandboxie for IE/Chrome, it's up to you to assess the risks involved in such scenarios. I'm by no means saying that anyone should drop something over something.
     
    Last edited: Apr 15, 2013
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    I'm sorry, Escalader, but a statement such the article makes without details is just not sufficient!

    If I'm not told how that tracking works, I don't know how to avoid it (without using a different Search Engine, which may not be necessary if other options are available.)

    Taking statements at face value in these articles without being able to corroborate/verify would force me to take actions without understanding everything involved. In my view, these things border on being unnecessarily alarmist.

    My understanding is that a Cookie is required in order for a Search Engine to track. Now, there may be something else involved that I'm not aware of, but the article gives no information.

    A while back, a thread discussed Google's combining all of its services (easier to track users) but that requires setting up a Google account, such as G-mail, and setting a cookie. In this case, Google has your email address and possibly the home address for billing, in the account. But no one is forced to have a G-mail account.

    I don't understand all of the hoopla about Search Engine Tracking. Assuming a Cookie is used for tracking, it's a user option (an Opt-in configuration), isn't it?

    I wonder if people are as concerned about other types of tracking we are faced with in life:

    • Library Card: if I have one under my real name, real address, the Library knows my reading habits

    • Rewards Card: More and more retail stores are offering this. It tracks your purchasing habits at that store. There is nothing nefarious about this -- it helps their marketing. But it is still "tracking." Are people as concerned about this as Search Engine Tracking? (A library or reward card is a "Cookie.")

    • On line purchasing, Accounts on line: If I have an account at Amazon.com, it has my purchasing history. With its cookie, it also records my browsing history on the site.

    And much more, such as the IRS, Social Security, State Motor Vehicle Agency (bad driving record!), Insurance Companies, Smart Utility Meters... Tracking unlimited!

    One more, just from the other day: I had to contact my cable company's tech support about a connecting issue. On the phone, the technician said, "I see you rebooted your modem about 10 minutes ago." I wonder what else is logged (tracked) at his end!

    Anyway, I await more information about how Search Engine Tracking works (if more than just a cookie is involved!)


    ----
    rich
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ Rmus

    Not just SET, but ANY www "can" gather Tons of data about your System etc. Apart from Cookies, if you have JavaScript/Java/iFrames/Referrer etc enabled, then it's Much worse ! Try these with & without those things enabled to see what They "can" see/store. Of course it doesn't mean All www's do auto store All/Any of the data, but x amount will & do.

    *

    And don't forget WebBugs, those tiny 1 Pixel clear images that can track you, by invisibly downloading it to your Browser/Comp.

    Also, even if you're on a different www but it includes ANY image/s linked from another www, the other www then knows your IP too.

    If your IP is static then it's easy for ANY www to build up a database of numbers of visits & times/dates etc.
     
  17. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    What I mean is that the code used to build the browser is something users can do nothing about nor have control over. We can try to lessen the risk that code gets exploited on our own machines by using 3rd party solutions, "being careful" and what have you, but that bad code is still there underneath it all. They are band-aid solutions, that's it. They really only work because most of the "bad stuff" out there is aimed at those with no band-aids at all and will move on to another sucker if they come up against anything that requires lifting a finger.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    I'm aware of all of that...

    But I want to focus on the Search Engine Tracking comment made in the article that's been cited.

    Thanks,


    ----
    rich
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Got the PM. Sandboxie is a "whole process" sandbox - the rules are the sum of all rules required fro all parts of the program.

    Chrome's sandbox is designed around its architecture, for one process there is one sandbox design, for another process another sandbox design. Much better for implementing least privilege.

    Chrome's sandbox is based on two things:

    1) Having the broker process be a small codebase; easier to vet, easier to secure. m00n touches on this - Chrome's broker is medium, Sandboxie's is high.

    2) Having the sandboxing be done (and enforced) by the operating system/ kernel.

    I could write a lot about this. Sandboxie has its own 'pluses' but I think it's all been covered in a lot of detail throughout my time here.
     
    Last edited: Apr 15, 2013
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    OK, just checking, as it's impossible for me to remember Everything you know ;) I wonder if you have taken those tests though ?

    Try these.
    I agree though, often articles don't explain the ins & outs enough, or at All :(
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Thanks. I found these statements:

    Indeed!


    ----
    rich
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi Rich!

    Don't be sorry! I'm glad you made these points. FWIW (not much)

    1 I agree with the need for verification of opinions/statements without facts
    2 I agree we accept tracking from the library, store cards etc etc
    3) You deserve more info on search engines

    My thread here is a learning / research thread for me and anybody else IF we stay on topic.
     
  23. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses


    I just blocked via FW a refer off a PayPal image when I clicked show image.

    That is real evidence for me.:thumb:
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    In my "role" as learner here why can't I get the benefits of both sanboxie by using chrome within sandboxie? Am I nuts? Don't answer that!!!:D
     
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    There ya go ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.