What is your browser security approach these days?

My approach to browser security is compartmentalization.

Browsers are too complex to be trusted within their 'domain' but their risks to the rest of the PC can readily be contained. So, I use three different web browsers.

- Chrome for my 'everyday' browsing, including unfamiliar and relatively higher risk destinations
- Firefox for sensitive tasks at known places ONLY (no other browsing)
- Sometimes use a 3rd browser for rare highly sensitive browsing only (doesn't have to be the most robust of the browsers)
- And when I'm feeling particularly paranoid, re-locating to an isolated LAN where nearby potentially compromised endpoints cannot launch various forms of man-in-the-middle or other local network originating attacks that might fool my web browser, SSL/HTTPS, or myself.

Browsers are increasingly using separate processes to compartmentalize. Some are even dynamically abstracting their libraries to compartmentalize risk from vulnerable library binaries to minimize impact on other tabs/windows. Even so, something 'communicates' and 'coordinates' amongst all a multi-process browser's tabs/windows, which is why I FEEL better relying on the compartmentalization achieved with totally separate and different web browsers.

So, the result is that I enjoy the conveniences and pleasantries of all that a web browser offers without letting low-priority,unsafe tasks put high priority tasks at risk. No special browser security applications or rigorous hardening settings. No false positives. No URL blacklisting. Just browsing.

It's not perfect; it's not as secure as it could be. But it's easy and quite safe overall.

Cheers,

Eirik

 

Nice points, I have had very similar ones. I do still use SBIE because of the following

1. each browser has its own sandbox - allows me to restrict what runs when browsing and what can have network access. It replaces a default-deny setup and a firewall. I make exceptions for things like Foxit so that I can view .pdf files in the same sandbox as the browser
2. each browsers sandbox can be deleted without effecting other browsers/sandboxes
3. downloads by default are forced into a sandbox with no outbound comms allowed - this allows testing of new executables
4. another sandbox for "live testing", where outbound comms are allowed
5. media players are forced into yet another sandbox

I like the segregation SBIE lets me have, so that per browser I can delete or restrict. The Low IL is a nice fringe benefit but for my browsing I have grown to appreciate not only the security SBIE brings, but I think more than that I like having a clean environment in the real OS, knowing that what takes place in the sandbox is only temporary and very easy to clean up.

I have MBAM installed in case I ever do something stupid like executing something without taking the proper steps. Once in a blue moon I submit something to an online scanning service, but that is the extreme for me.

Sul.

 

Unfortunately, many people disable UAC, specially after reading certain "security experts" advising it. So, they run without Protected Mode. Worse, most of them are running administrator account with UAC disabled. Windows 7, due to UAC level being less "annoying" by default, may make them run with UAC, without even knowing... But, most Windows Vista users, most likely have it disabled.

I was truly hoping that Microsoft would release IE9 without requiring UAC to be enabled, to provide its sandbox. Sadly, that wasn't the case. So, unlike Google Chrome, I can't truly say that IE9 provides an out-of-the-box sandbox, because IE8/IE9 sandbox require UAC.

 

What I don't really understand is why use Firefox with NoScript inside Sandboxie/Bufferzone/Geswall? If it's sandboxed, then the whole point is that it doesn't matter what you do inside the sandbox, so surely NoScript (which I find infuriating to use, anyway) becomes redundant? I can understand blocking annoynaces like ads, but do we need everything else if we're sanboxed? Purely a question to the experts .

 

I'm no expert, but I'll tell you how I perceive it.

The sandbox environment is a long term environment unless you delete it. That means if you get an keylogger etc in that environment, it runs just like it would on the real system, and sends data just as normal. The threat of not taking precautions then, still leaves specific threats, but maybe not all threats like the real system would have.

To mitigate such threats, you can use something like NoScript within the sandbox to keep that environment clean. You might think this is overkill, but step back and examine it for a minute. You know that "what happens in the sandbox stays in the sandbox", so your real system is not at risk. But you can still do things in the sandbox that might compromised.

The other method (the one that I use) is that I tell SBIE to only allow specific processes to run. This means my browser and my pdf reader. Everything else will be denied rights to run. This is a good setting for me. I also so the same with network communications, only my approved processes are allowed. This way, I have two ways to stop something like a keylogger, both by restricting it from starting and not letting it communicate.

Make sense?

Sul.

 

In the end, we kind of achieve the same goals, just using different measures.

One of the reasons that actually made me kind of not sandboxing the web browser anymore, was that, if at some point, I decided to run it unsanboxed (despite being forced), whenever I opened a PDF file, mp3, etc., they also run outside of the sandbox... even if the applications (pdf reader, media player, etc) have their own sandboxes. I actually expressed as a wish that Tzuk makes it possible to still force programs to their respective sandboxes, in the scenario I mention. I don't like as it is.

I just don't bother much with the contents the web browser creates in the real system. There aren't that many places where it can store data, anyway.

I also run Chromium in Incognito... though sometimes, when initiating certain stuff it does get out of the Incognito mode... bad design, IMO. Nothing something like CCleaner can't handle. I also delete everything in my Chromium profiles, except Chromium settings.

Cookies are blocked. When they're needed, I only allow them for the current incognito session.

99% of time, I use my most restricted profile, which has JavaScript and plugins disabled. Adding to that the low integrity level, I just don't see the security benefits (unless I wanted a different way to restrict Internet access, etc., like you) it would bring me. The only security/usability I need it for, is for Adobe Reader, media player, etc... and it does it job just fine...

Sometime in future I may try to test something more... like a SteadyState like feature, by using Windows own features. Microsoft provided some documention sometime ago (still provides)... Who knows if I'll like it enough...

 

FF4 with WOT, NoScript (on demand), BetterPrivacy and BitDefender QuickScan
and sandboxed by DefenseWall.

 

Sandboxie (Paid) with Drop Rights + Internet Access Restrictions + Start/Run Access Restrictions + Forced Web Browsers.

Adblock Plus (Subscriptions: EasyList + Easy Privacy + Malware Domains)

Firefox with AVG Linkscanner + McAfee SiteAdvisor

 

Perfectly, Sully - thank you for a thorough explanation .

So, if you set your Sandbox to delete itslef each time your browser closes and restrict what applications have internet access/run access, then most other protection addons for browsers are not really needed?

 

- FF4 with ABP (EasyList, Fanboy's List, and Malware Domains) and WOT.
- Sanboxie
- KeyScrambler

 

Pretty much so IMO, especially if you restrict what can run. Besides this, SBIE will throw a message screen for certain activities, which lets you know when something is happening. I leave those on, so that I know if a forced program started outside the sandbox or that something wanted to run but was denied.

Sul.

 

As moonblood

a) Chromium, disabled the 'external' adobe flash and pfd reader, only using Chrome's internal versions (which should be sandboxed, but I still use the --safe-plugings switch)
b) 1806 registry trick (deny execute bit)
c) deny execute of download directory (I also like the fact that one can set the default download folder without save as prompt, within Chrome)
d) Mcfee Site Advisor for Chrome

It is enough, no malware can break through that, it is a 100% solution, because Chrome is located in a user directory and I only allow elevation from safe places (and the have to be signed, which Chromium is not), so there is a second policy container around it.

 

Thanks again for the reply, Sully - much appreciated .

 

Mozilla Firefox 4.0

• AdBlock Plus (EasyList+EasyPrivacy, Fanboy's List, Malware Domains)
• NoScript
• Sandboxed by DefenseWall

Google Chrome 12 Developer

• "--safe-plugins"
• AdBlock Plus (EasyList+EasyPrivacy, Fanboy's List, Malware Domains)
• Block all plugins/scripts
• Sandboxed by DefenseWall

 

The only thing I use is EMET on IE9, nothing else.

 

@mrfargoreed: NoScript is only useful for privacy if you have Sandboxie set up properly. Can also help in speed, resource usage, disabling annoyances, etc., but I find it a PITA as well.

@m00nblood: I still find Windows 7 default UAC annoying, so I've set it to silent mode. To do that, open secpol.msc > Local Policies > Security Option > User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode > Elevate without prompting

 

I know I can do it. I personally don't do that, simply because I don't consider UAC to be annoying, onc you get to know how it works and what it aims to do.

But, what % of people would know about that setting... which, by the way, it requires gpedit/secpol... Not all Windows Vista/7 versions have it. The alternative would be to hack into the registry... Again, how many people would even know what key they should create/modify?

Not even the so-called security experts know a thing about it. Yet, they still recommend this and that, just because it annoys them...

 

Which is also one of the reasons why I run Chromium with an explicit low integrity level. It won't ever elevate and nothing can elevate it either...

 

Like the rest of my setup, my approach to browser security is default-deny. Seamonkey is my default browser. K-Meleon is an alternate. Internet Explorer has been removed from every OS except one. On that OS, it's for admin use only. Browser executables are not allowed to parent any other processes, save ddhelp on the 98 unit. Proxomitron and explorer.exe are the only processes allowed to parent a browser process. XPI install is disabled.

All browser traffic is forced through Proxomitron by firewall rules. If a browser tries to connect out on a non-standard port, Kerio alerts me. Proxomitron is configured to use proxies or Tor when desired. My home page is a local page of links to sites I visit the most.

Proxomitron enforces default-deny on the web content. The better privacy extension is an additional privacy protection layer. Java is allowed by exception only. Flash content is replaced by links, which are saved to the desktop, then opened in a standalone player. Other media files and PDFs are saved and opened by their own handler, not in the browser. Common adservers and Google's garbage (ads, analytics, syndication, etc) are blocked with a hosts file and/or filtered out with Proxomitron. Javascript is restricted. Still working on the Proxomitron rules for this. User agent is switchable, default response: "Not your concern." Referrer is spoofed to the same site that's asking. WSH is blocked or not installed. The browser cache is on a RAMdrive, which is erased regularly. All executables on the RAMdrive are blocked by SSM. Most cookies are session. Prefetching is disabled.

This arrangement has worked well for me no matter where I go.

 

Agree, right now I use w7 Home Premium, I miss gpedit
Could anyone point me what key should I create/modify to auto elevate?

 

Go here

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Look for ConsentPromptBehaviorAdmin and edit that entry, changing its value to 0.

Code:

0 = Elevate without prompting
1 = Prompt for credentials on the secure desktop
2 = Prompt for consent on the secure desktop
3 = Prompt for credentials
4 = Prompt for consent
5 (Default) = Prompt for consent for non-Windows binaries

-edit-

There's more info regarding UAC and its registry settings, etc here -http://technet.microsoft.com/en-us/library/dd835546(WS.10).aspx

Always useful to have at hand, for any situation...

 

Prevx with SafeOnline!

TH

 

It works all right, except in idiotic repetitiveness with no easy way to remember user decisions.

This article describes both methods, and has registry files you can import.

 

Since 2000:

1. Everything inside browser turned off.
2. Proxomitron.

 

@ m00nbl00d & J_L : thx for the help