Safe Browsing: 12. Browser Security

Reader Toolbox   Log in for more tools

12. Browser Security

Now we get into the heart of things. 83% of all HASA visits over the past year have been performed using one of the two most popular browsers out there, Internet Explorer or Firefox. These browsers will be discussed in depth, but the kinds of security measures taken with the market leaders will apply to the next three most popular browsers as well; Safari, Chrome and Opera. These five browsers account for 98% of all HASA site visits.

This chapter discusses some general browser features. The following chapters will be step-by-step settings for each browser.

If it Crashes, KILL IT

There is one rule for all browsers I will say up front and unequivocally – if your browser crashes, kill the browsing session by forcing a full shut down and fresh restart of your browser.

Why? Recall what we discussed in Anatomy of an Exploit; a shell code exploit needs memory to run. It gets that memory by crashing a program and trying to grab some of the scattered memory left from the crash. If it can capture your browser, it now has access to anything in your browser that is not running in a protected or sandboxed mode. Unless you know for certain what caused your crash, close your browser to get rid of the memory. When you restart, do NOT allow the browser to "restore" your tabs or browsing sessions. Make it start fresh.

The users most susceptible to shell code exploits in the browser are those with multiple tabs open, with multiple logins running, who do not log out of web sites, who do not shut down their computers on a regular basis, and who are running an unstable, old and/or unpatched browser. Banks are seeing an upswing in robberies where a customer's browser was crashed and "pwnd" sometimes days before a visit to a banking site, and where the malware runs silently in the background until it recognizes a bank URL and begins logging keystrokes and/or hijacking a user session to run invisible browser windows and clean you out while you're checking your balance.

If you want to run your browser in an insecure way, that is your choice, but this is the truth about how browser-based exploits happen. It is not Windows. It is not even the browser. It is user negligence.

Internet Explorer

Internet Explorer is the browser used by most HASA visitors. IE users get a lot of flak for using this browser when the truth is that the functional differences between IE and all other browsers – speed, security, standards compliance – are negligible. Even the much maligned IE6 is a far better product than the media would have you believe, though it is too old to be worth maintaining.

Most of what IE users hear in the media is that they had better hurry up and use something cooler and (allegedly) safer, with little attention given to how to circumvent a wide variety of problems with a simple sweep through the browser settings.

Table of IE Combinations

This is a table showing what version of IE you should be running, given your OS.

 Operating System

IE8

IE7

IE6

Windows 7

Best

NO

NO

Vista

Best

Acceptable

NO

XP

Best

Acceptable

NO

Earlier than XP

Not Possible

Not Possible

NO

I think you can see a pattern. Under no circumstances should you run IE6. If you are not able to install IE7 or IE8 on your system, install Firefox. IE6 – which I still admire as the best, most stable, and most standards compliant browser out there for most of its functional life – simply cannot be secured against today's malware. With all patches applied, with all security measures turned on, it will not provide sufficient defense. It also has been surpassed in CSS and JavaScript support by every other current browser, so there is no compelling reason to use it if you are able to install a different product. If you are in a corporate environment and your company is not able to upgrade (usually due to a mission critical legacy system that requires IE6 to run), you are best off not to browse the web at work. I am very happy to say that IE6 usage on HASA has dropped precipitously in the last year. Even so, IE6 visits to HASA are higher than Chrome and Opera visits combinedI strongly advise HASA visitors to stop using IE6.

If you have XP or higher, do not waste your time with IE7. It was an excellent move by Microsoft to break out of the old browser mode, but can only be viewed as a transitional product. Some companies have standardized on IE7 (my own among them) due to legacy systems. Do your best to wheedle the IT department into letting you have IE8. Agree to do system testing, promise to be very, very good, whatever it takes to get IE8.

On your home machine, there is no reason not to use IE8. Indeed, most HASA visits are from IE8 users. It will run on XP and Vista, and is the default IE browser for Win7.

Firefox

Firefox is the second most used browser by HASA readers. While a good browser, it is not the most secure, no matter what you may have read in the press. On XP, since IE8's Protected Mode doesn't run, Firefox and IE8 offer approximately the same security level.  Firefox is not as secure as IE8 on Vista or Win7 because it does not offer the integrated Protected Mode. It has a private mode, but it is qualitatively different than the Protected Mode in IE8, which integrates browser and operating system security. However, if you have fully secured your computer and you are careful about your browsing, you will be as safe as if you are using IE8 on XP.  Remember – no browser is 100% secure, but good browsers can be made very secure.

While IE offers a standard security update every second Tuesday of the month, along with occasional out of band critical security updates, which are always well publicized, Firefox does not have a standard security update schedule. It pushes out a lot of security updates, though, so you have to be ready to install them. Turn on automatic updates and set to whatever you prefer for installation.

UPDATE YOUR BROWSER!

Looking only at my browser statistics since January 1, 2010, almost 12% of Firefox users are using Firefox versions older than 3.5. Fully half of the remaining 88% of visitors are still on some version of 3.5.x.  Firefox 3.6.x was released by mid-January and people should all be using it.

Update now!

Just as I strongly advise any user who can upgrade from IE6 to IE8, I also strongly advise any user who is on an earlier version of Firefox to upgrade to the latest 3.6.x version.  If you do not upgrade Firefox, you will be vulnerable to malware attacks. XP users running early versions of Firefox are just as likely to be hit with malware attacks as XP users running IE6. If anything, early versions of Firefox are less secure than patched versions of IE6.

Also, after you upgrade, go check your browser settings. On my last two upgrades (3.5.x, 3.6.x), all of my custom security and privacy settings were wiped out and I had to manually reset them. My experience may be anomalous, but it's always a good idea to double-check that your settings are in proper order.

If you are running XP and you cannot upgrade from IE6 to IE8, perhaps because it's a company machine and you need IE6 for a legacy application, see if your IT group will allow you to install the latest Firefox for ordinary web browsing. If you are running Vista or Win7, always have IE8 installed and use it for high security browsing, such as financial sites, but also use the most recent Firefox for ordinary browsing if you prefer that product.

Many people use Firefox specifically to get the add-ons. I have a double handful of developer add-ons installed, for example, and can't imagine running Firefox without them. One of the reasons some people give for not updating their version of Firefox is that a favorite add-on won't work in the newer version of the browser.  This is a fast route to having an insecure browser. In the case of popular add-ons, their updates generally lag the browser updates only by a few days or weeks. It is better to be without a favorite tool for a short period of time than to have your system compromised.

Firefox Security Add-Ons

Two of the most popular add-ons are Adblock Plus and NoScript. Their functionality overlaps quite a bit, but each has a different focus. The first is aimed at advertising and the second at JavaScript in a web page.  Consensus in the web world is that Firefox isn't really secure unless you have one or both installed. (I do not personally use either of them, though I have them installed.)

AdBlock Plus adds functionality to Firefox to allow a user to have the same level of control over cookies as the Privacy settings natively provide in IE. An advantage with AdBlock is you can import a subscription that is a text file of advertisers, which is quicker than manually adding them in IE. (There is an add-on to IE, Simple Adblock, which uses the same site list as Adblock Plus and does the same type of blocking but does not offer the editing tools of Adblock Plus. I am using it and think it works adequately to block advertisements on news sites. It does not replace the Privacy settings.)

NoScript performs many of the functions as the SmartScreen Filter plus Restricted and Trusted site zones in IE, plus can be used to selectively block JavaScript execution on individual web pages. It must be updated frequently to keep its site lists current.

I can't recommend installing these particular add-ons to Firefox because I don't recommend software I do not regularly use myself and I don't use these add-ons enough. They provide some convenient controls to perform actions not built into Firefox, they have good reputations in the industry, and you may find them useful. I don't see any great harm in installing them, but you will have to invest some time to learn to use them effectively.

Ang's Personal Opinion:  If you have to add safety features through third party apps, the browser is not inherently safe. You have to trust that the add-on will work when the browser is updated, that it will work the same way with each update, that you are running the most up-to-date version of the add-on, that it will continue to operate in a safe and secure manner, that it will not itself be hacked or hijacked, that it will not conflict with other add-ons, that it will not conflict with the browser, and that the company or organization creating the add-on will continue to support it. Add-ons should be treated as convenient tools, not as true security, which needs to be built in to the program. End Opinion.

Other Browsers

For users with a Windows OS, there are only a few HASA visitors who do not run either IE or Firefox. Most of those visitors use Chrome, followed by Opera and Safari. A handful use Mozilla, a phone browser or Netscape.

If you are not on the most recent version of your browser, please update at once. Chrome, Opera and Safari have all released security updates in the last 90 days.

My one caution is, if you are a Windows user, do not use the various IE emulation plug-ins or add-ons available through other browsers.  Just use IE with the security settings discussed in the next chapter. Why?

  • If the emulator is done to "spoof" IE to be able to log in to a web site that only supports IE, you may end up with corrupted sessions because your emulator is not IE and will not interact with the site correctly.
  • The emulators mostly try to reproduce the visual/CSS rendering of older versions of IE. If you are an end-user, there is no reason to do that because you shouldn't be using an older version of IE. If you are a developer, Microsoft provides free Virtual PC images with IE6, IE7 and IE8 loaded that you can install for real testing environments. There is no reason to have a hacked-in rendering engine in another browser.
  • Security. These emulators do not provide the security tools built into IE8, specifically Protected Mode. Even worse, they usually are unable to call the security features of the parent browser.

Browser emulators are just a bad idea.  Don't use them.

For users who don't use a Windows OS, the same rules apply – keep your browser up to date and don't run emulators inside your browser.

Protected Mode vs. Sandboxes

In my browser research, I continually come across confusion between Protected Mode, which is something specific to IE7/8 running on Vista or Win7, and sandboxing, which is a security method used in Chrome and is likely to become a standard in IE, Firefox, Safari and Opera in the near future.

Protected Mode is a security relationship between IE and the OS. It applies to all browsing sessions as a whole, and is turned on by default in IE8. It prevents any requests coming from the browser to change things on your system unless you manually intervene and provide an administrator level password and "OK" to do so. It integrates the security of the browser and the OS and is primarily aimed at keeping malware from installing stuff on your system. If something can circumvent your OS security, you've got bigger problems than your browser. This is why I take time in this article to talk about the security of your OS and not just your browser.

A sandbox is a container inside an OS that tries to prevent things from leaving the container. It doesn't integrate into the underlying OS. In Chrome, each browser tab is a sandbox. The main advantage of sandboxed tabs is it prevents crashes and shell script exploits in one tab from taking over the memory and sessions in the other tabs. This is very good. If the malware can break out of the sandbox, however, then it may be able to affect your OS, in which case you are back to how well you set up the user security on your machine. In my own tests with Chrome, I have never observed isolated tab crashes; all crashes have always brought down the entire browser.

Sandboxing is not limited to just the browser. Running a virtual machine with any browser inside of that creates a sandbox. For example, any testing that I have to do with IE6, Chrome, Safari or Opera are all done inside of a virtual machine on my regular machine. Unless you are doing some pretty heavy duty development and need to maintain isolated browser versions (or are totally paranoid), it's generally not worth the effort to use a virtual machine just to sandbox a browser.

Fundamentally, these are two different kinds of security. Protected Mode prevents your system from being changed without your knowledge. Sandboxing tries to corral malicious activity inside an application. Sandboxing needs to be regarded as an extra layer of security. If the tab crashes and recovers the memory and has something running in it, you still have infected memory and anything you do with that tab afterwards in endangered. You need to have more security measures than just a sandbox. Likewise, Protected Mode is not sufficient to keep malware from taking over your browser memory after a crash and running memory resident code. Neither will defend you against malicious code you deliberately install, like a spyware screen saver, nor will they help you if you open malware-infested attachments. My preference is for a browser that would support both features, but I doubt that will happen before the release of IE9. I don't think IE8 will be retrofitted with sandboxed tabs, but I could be wrong.

The rest of the article focuses on specific security settings for IE and Firefox. 


This is a work of fan fiction, written because the author has an abiding love for the works of J R R Tolkien. The characters, settings, places, and languages used in this work are the property of the Tolkien Estate, Tolkien Enterprises, and possibly New Line Cinema, except for certain original characters who belong to the author of the said work. The author will not receive any money or other remuneration for presenting the work on this archive site. The work is the intellectual property of the author, is available solely for the enjoyment of Henneth Annûn Story Archive readers, and may not be copied or redistributed by any means without the explicit written consent of the author.

Story Information

Author: Anglachel

Status: General

Completion: Complete

Era: Other

Genre: Research Article

Rating: General

Last Updated: 06/19/10

Original Post: 06/14/10

Go to Safe Browsing overview

Comments

No one has commented on this story yet. Be the first to comment!

Comments are hidden to prevent spoilers.
Click header to view comments

Talk to Anglachel

If you are a HASA member, you must login to submit a comment.

We're sorry. Only HASA members may post comments. If you would like to speak with the author, please use the "Email Author" button in the Reader Toolbox. If you would like to join HASA, click here. Membership is free.

Reader Toolbox   Log in for more tools