User beware. Today's web browsers offer more security protections than ever, but according to security experts, they do little to protect people surfing the net from some the web's oldest and most crippling threats. Like nuclear stockpiles during the Cold War, new safety features amassed in Firefox, Internet Explorer and Opera …
"and Microsoft's then deep-seated inattention to security"
THEN? Well, I haven't touched MS software in about 7 or 8 years, so can't say much about the current state of affairs... but I hope your adverbial usage there is correct... even if I won't be using MS software anyway, most probably. :-)
Whine whine whine...
Same story as we've all heard before; nothing is safe. So go turn off your computer, put it in cement, and drop it in the deepest part of the ocean.
What people need to realize is that their browser is just like a car for the internet, and it doesn't replace them as the driver. You want to be safe? Drive safe. Unless you want one of those rumored package services that have been muttered (pay $50 to get 50 websites to visit!) and have no sense of choice or freedom, get smart and stop letting yourself be the victim of browser exploits. God knows the Firefox addons mentioned on the first page help a great deal in improving your security.
I think that the fact that security researchers will only access "sensitive data" while sitting in a copper lined room using Lynx or some other wierd antique browser says more about their mental state than anything else. A bit like the people (mostly in the USA) who don't feel safe without a loaded weapon in their underpants.
If one's really worried about being hacked, surely the most sensible precaution is to find a bank with T's & C's that protect the customer, rather than trying to build ones own fortress against mysterious "bad guys".
On the other hand...
Has anyone tried PicLens?
Nice last line...
...biting Donald Rumsfeld's arse. Couldn't have happened to a nicer man.
Back on topic, NoScript is now installed here!
MS certainly pays more attention to security than Apple does these days.
Linux is still top.
That makes for the safest web browser, now one you have to opt-out from.
Mainly spot on
"Browser" security is difficult to achieve - should the browser be responsible for the plug-in being exploited?
Most users do not seem to understand how important security and privacy are in the online world. That is until they are themselves directly affected by abuse. Until then functionality is all they're interested in. Opera 9.5 had an extensive alpha and beta period and an extremely communicative developer team. User feedback on the weekly builds was dominated by people obsessed with whether Opera worked with one site or another (Google mail being one of the most common) and whether how many ACID tests could be passed; it maybe worth noting that there is no security test suite. Releases which introduced new security features such as extended certificates were largely ignored. Given such a climate it isn't difficult to understand why developers also put security second.
Nice article but surprising to see something so one-sided on el-reg, the entire article was written as though the only OS in existence is windows. The point about using a separate system for important bank transactions could have done with a mention of 'knoppix, for instance' and a bit less of the 'weirdo' aspect. Many firewalls run from live CD's on systems with no hard drive to make it impossible to write to the file system so a reboot guarantees a clean system. Personally I will not even enter my email address into a windows box if I can avoid it and it will be a cold day in hell before I'll enter any bank details.
Pisses me off
As an information security professional, the paranoia spouted by some other IS people really pisses me off. If we want to make a difference, we should be eating the same dog food as everyone else. While I like Jeremiah Grossman's work, the whole "You're all Dooooooooomed" attitude don't help.
I have to admit to using NoScript and Adblock on my home browser, but mainly for the purposes of speed and curiosity about what sort of crap sites are loading on top of the proper content (El Reg, I'm looking at you).
@Rich - Good luck with finding a bank whose T's & C's protect the customer, I don't think there are any. Instead, find a bank that uses partial credentials for login (ie Characters 2 4 and 7 from a password), and/or Two Factor Authentication when making payments (using it at login is mostly a gimmick).
"I really don't think people are in a good position from a technology perspective to defend themselves with what they're given by default in a browser."
The most elegant apology for man's lack of Intelligence as you may ever have read.
That Creates an IntelAIgents Opportunity for Secured Intelligence Services ..with Genuine In House Online Intelligence Needs..... which are AI Feeds.
Virtual Machines Feeding Virtual Machines for the Machine ..... Automatically with Actionable InterAction at Core Driver Levels, the Objective Function.
Not much different than car security
In the beginning there were no doors on cars. Then they got doors and windows. Then came locks which you didn't need a key for ( I used any old key or a blunt knife for one of my cars) . After a while we were sold car alarms. Now there are immobilisers, trackers, remote locking and still cars get nicked - the more expensive, the more protection built in to the car and it ends up in a container bound for some other part of the world.
Security is a double-edged sword, the more it protects the more it invites attempts to bypass it or just use brute force to go straight through it.
No matter how fancy the systems, most people still get the brick through the window then it's used to rob a bank.
Years ago at work we were told we had to have a boot-up password on our machines 'for security'. We all dutifully set passwords but some thought a bit further than that. When asked about my password I showed my boss a bit of Blu-Tack on top of the monitor with a little 8-pin chip stuck in it. "It's there, in the chip. If I can spend five second taking the chip off the motherboard anyone can. Oh, and the PC case has a handy diagram to find the chip or reset it". I was fortunate to have a boss who actually understood computers a bit further than which way up to hold the mouse and he accepted that the message from on high was crap as they'd never considered looking inside the Compaq machines, just that you could set a password and then no-one but you could ever get on the P.C.
Now if only there was a way of scaning a website for any nasties before you clicked on the link... Oh but wait, that would mess up poor webmasters log files....
@AC re Whine
I knew someone would say that. Other helpful and insightful statements such as "It's the wild west out there so get used to it and wear body armour" come to mind. That response and attitude is fine if the only use for the internet is as a useful and intellectually challenging toy/tool for techie types such as AC (and me and you), but it's not.
Large amounts of money have been invested by legitimate organisations to set up and run services for each other and for retail customers. Retail customers are spending large amounts of money and running their daily lives over them. In the real world, any vandalism or criminal attack on such important facilities and services would be seen as needing a rapid and forceful response from the relevant authorities. On the internet it's a case of hand wringing and interesting studies, conferences and white papers.
AC used a car driving analogy and yes, the driver should learn how to drive 'safe' and not go down a pot-holed dirt track at night. What is happening however is that some people are building fake exit roads with all the right markings and lighting and a sign that says 'Rest Stop - free coffee and cakes - banking facilities'. I'd drive down that road if I saw one, then pull in and get my pocket picked and my credit card stolen, probably. If anyone actually tried that, the police would jump on them, then the courts would put them away. On the internet, it happens all the time.
So what your saying is that if we want to safely browse the web, use Lynx.
Why do I never get viruses....
... I'm a Systems Administrator who runs computers at home and at work with full admin rights.. (I know, not best practice) I use Firefox with noScript most of the time but when I have to, I use Internet Explorer for certain sites. Why then have I not had a virus or even malware infect any of the computers I use in at least the last three years or so? Probably the same type of reason that I have never in my life been hit by a fast moving vehicle.
Come on.... even the grand Miss Hilton could work out what I am trying to say here...
Driving gloves for the Internet Superhighway
Dan is partially correct that the openness of the infrastructure of the Internet is part of the problem, but that's because much of the infrastructure is twenty years old and over and wasn't designed or indeed evolved for mass public access. The DNS protocol doesn't have security in by design, but its very openness has meant that security has been added to the resolver software.
Similarly browser software has evolved while retaining the same simple HTTP(S) protocol at its heart. The pragmatic approach has always been to allow new technology: this has lead to AJAX as an asynchronous method of delivering data in a way that only would have been dreamed about ten years ago (I know, I was one of the dreamers). However, as always there are those who will exploit new technology and break the very loose bonds of trust between browser developer and user. However, is it the browser's duty to protect us? Is it the operating system's?
Anyone could implement a sandpit - all it takes is a copy of VirtualBox and a disk image with enough to run Firefox in, which, with the plethora of portable distributions would be simple enough to even distribute on a smallish pen drive.
Similarly, as discussed in the article, it's easy enough to kit Firefox out with a good defence mechanism - NoScript, Adblock Plus and NoFlash are a good minimum starting position. Opera implements most of these options natively.
So why is Joe User still getting infected? Because the box shifters of business don't educate. Aunty Mabel wants to get on that Internet thing so she buys a £300 PC. The nice young salesman sells her some anti-virus software for another £30 so she must be all right. When the PC gets riddled with trojans and malware she'll take it back to the shop who will charge her more to 'clean it up', all the while not advising on her on how to prevent it in the first place.
In the end, education begins at home, and every one of us who knows enough to understand that the Internet can be unsafe, should at least tell one other person, and then maybe, slowly, the message will get through. Our choice of browser helps, but it isn't up to that browser to protect us from every situation - we have to make those choices ourselves based on the information we have.
@Pisses me off
Not sure about where you are, but (to my knowledge) all UK banks offer protection to the customer.
Someone took money out of my account without my permission, I had it refunded. I also received a nice 'apology' over the delay in refund. Never once did I get told anything other than - yes you WILL get the money back, and if we find YOU did spend it and made a mistake, we'll just take it again. No nasty threats, nothing.
Have to say, it's interesting to see an article like this on it here. Pretty useless though, most people here already know this. He should forward it to the BBC or something so a larger user base (more diverse) gets to read.
The browser can only do so much
While many security holes are in the browsers themselves, a lot are in applications run on virtual machines or languages like Java, Flash and so on. A browser can limit access to such languages, but ultimately that is not a solution as you seriously limit the utility of the browser. And vulnerabilities to such as SQL insertion are features of programs written in, say Java, rather than in the browser itself. SQL injection attacks do not normally target average users (but rather the sites that they visit), but users are indirectly at risk because their private details are made available to attackers. And no browser can protect a user from himself, in the sense that if a user falls for a phishing ploy, at best the browser could have warned him about the page not being from the domain it appears to be.
But there is still a lot than than be done in the browser itself to avoid vulnerabilities such as buffer overflows or pointers to deallocated data. One of the problems here is that browsers such a Firefox (and, AFAIK, all other mainstream browsers) are written in C, which has little compile-time safety checking and no run-time safety checking. If browsers were instead written in languages with strong type systems, run-time checks and managed memory, a large class of vulnerabilities can simply not occur. And programs of a complexity like modern browsers would be a lot easier to write in higher-level languages. C is, essentially, (partially) portable machine language and (IMO) unsuited for anything other than low-level systems programming where you need unrestricted access to hardware resources. And browsers certainly don't need this.
You *could* use more than one browser
I use FF for browsing and Opera for secure stuff. If FF has been compromised then it won't affect anything else.
FF can be compromised. My son has Admin rights because he needs them to upgrade World of Warcraft (sigh - there must be a better way, perhaps something like Unix groups where he could be in the Warcraft admin group but no others?). Something managed to put a plugin into FF that kept injecting stuff every 3rd or 4th click. Reinstall didn't work. Eventually worked out that trashing the user data areas for FF for every account (sigh) removed the plugin.
So I don't trust FF for stuff I want to keep really secure. I use another browser, less often and act very paranoid when I use it. This gets away from XSS attacks and so on because you aren't putting all your eggs into one browser and not doing your general surfing (where you might get bitten) on the browser you use for secure stuff.
The author clearly lacks understandning of the different security domains in Internet communications:
1) XSS and other examples of injection of malicous content into web pages is not a browser security issue, it is the responsibility of the web service provider.
2) underlying infrastructure is not a browser security issue. Everyone with some clue knows that Internet would not have existed if it had been built in traditional telco style or incorporated mandatory IPSEC (or similar). The power of simplicity.
3) TLS/SSL does work very well for establishing of strong transport security and authentication of the server side, and will also give us the session identifier which we need to get rid of all the cookies and CGI-variables used for session handling. Not a browser issue.
The problems does not stem from IP, TCP, UDP, DNS, TLS or elsewhere in the network stack. IMHO, the problems are (in ranking order):
1) Flash (which is truly scary, close to 100% adoption of one inbred implementation) and other browser plugins, too widly spread and too small gene pool (acrobat reader, quicktime and others..)
2) Web-server and -application security, where inadequate implementations and configurations put users security at risk
3) The absence of decent methods of user authentication (think SAML and OpenID)
4) Browser implementation errors (and the effect of such due to tight integration into the operating systems)
Apart from that, I do agree that fishing filter and other tricks won't solve any security problems, in the same way as antivirus, firewalls and other largly perforated band-aids will fall short.
This article spells F.U.D.
I had a university lecturer who used a DOS based email client, rather than the faculty installed Pegasus Mail. His reason for using it was "It doesn't catch a cold when everyone else's PC is sneezing".
At the time I thought he was just eccentric (he also had huge handle-bar mustache and looked/sounded like he flew WW2 planes) - these days looking back I sort of agree with his mentality.
His main goal was to keep online even though at the time all the other lecturers inbox's were being flooded with virus' by some dodgy students wanting an extension on their coursework..... and he managed it. He didn't have fancy features such as image viewers, attachments, and other stuff - but then he wasn't really using those features anyway.
Personally - I wouldn't get along without my bells and whistles in ff3 - extensions are my main reason for using the browser, not security, but sometimes these extensions can give you some added security. I have a google redirect extension, that points me to the https version of gmail, googledocs etc - I also have noscripts, adblocker (sorry el-reg - I promise to buy a mug though). I have some more eye-candy type extensions like piclens too. It's finding the right balance for you.
He probably doesn't need admin rights... Make it a limited account and grant it full control over the WoW directory and all files and also do the same to HKLM->Software->Blizzard registry tree (using RegEdit).
I am amazed how many programs these days claim to need admin rights when they really just need to have a few certain permissions enabled. The only programs that should require admin rights are OS updates/patches.
@AC: "Pisses me off"
"Instead, find a bank that uses partial credentials for login (ie Characters 2 4 and 7 from a password)"
Nationwide (if you ignore pedantic comments about it being a building society!). It's been doing it for many years, both on the phone and on the net.
"and/or Two Factor Authentication when making payments"
Nationwide (it's recently issued all its customers which readers which require the bank card/PIN and a challenge sequence from the website).
Can't eliminate the human factor.
As others have said, you can fill in security holes until you're old and gray, but you can't ever keep people from clicking on FREE P0RN and WIN USD999 links. The most successful Trojan in history involved no exploits of any kind; it was entirely dependent on men wanting to see Anna Kournikova naked.
@Mike Powers: And a few women too, I expect!
I've got a Nationwide account - I'm proud they're still a building society - but it's security is a bit of a joke. It will not work without cross-site cookies enabled and has no transaction level security. Partial credentials don't do it for me. I'm more, but not entirely impressed by my German bank which has a less sophisticated but highly customisable login: I can change both my user and my passphrase. But more importantly I have to sign for each transaction using a TAN. I believe the security model here is "know one item, hold one item". Not unbreakable (there have been attempts to the attacks have relatively small windows) but not too bad.
Use an obscure platform! I'm not telling you what I use, though the server log will. Most importantly, only read email messages in plain text, including html-only ones. That way phishing messages become really obvious, and you are not in danger of executing malicious scripting.
The problem is that I am forced to use a much more attacked (if not inherently less secure) platform for some banking applications.
Btw Simon, in just over a year's time we'll be celebrating the 40th anniversary of the first host-to-host connection on Arpanet!
So why is Joe User still getting infected? Because the box shifters of business don't educate.
If you buy a car shouldn't you learn to drive instead on insisting the sales person tech you ??
419 scams have been around before the net people still fall for it. The people that can be educated mostly likely will .
Man the Barack Aides ..... Ring the Palace Barracks
"Have to say, it's interesting to see an article like this on it here. Pretty useless though, most people here already know this. He should forward it to the BBC or something so a larger user base (more diverse) gets to read." ...By Edward Rose Posted Tuesday 24th June 2008 10:55 GMT
Quite whether they would understand it is another matter. BBC Refugees/Banned Posters have All been Denied Public Service Satisfaction because of more enlightening views suggesting the Master Plan is to keep Population Ill and MisInformed. More than just a Few may even have alighted here, on El Reg.
Which is also the Bigger Picture Situation Today, is it not?
Any Words of XXXXPlanaNation from the Accused to Cast even a Shadow of Doubt on the Evidence?
I agree with the article
Other than locking your browser down so much it can barely do anything, I don't think there is any way you can secure your machine via a browser.
That's why I use sandboxie:
Searching porn or pirated software? Do so in sandboxie and throw it away and make a new one if it starts playing up. :)
Just think carefully before exporting anything outside the sandbox :)
Fundamental misunderstanding of ActiveX (again)
"Firefox wasn't the browser that brought us ActiveX and therein lies the key reason it has stood up so well when compared to IE over the years. Last year, there were some 339 vulnerabilities in one or more ActiveX controls, according to security bug tracker Secunia."
Who wrote said controls? Did Microsoft actually produce all 339 of these?
Everyone likes to blame Microsoft for ActiveX destroying the Internet. ActiveX was in Windows long before it was called ActiveX, though.
My favourite complaint from a clueless luser: "If you enable ActiveX in ACCPAC you'll expose us all!" Meanwhile Sage Software uses ActiveX as part of ACCPAC's very design. You can't open a module in there without launching an ActiveX control. If I disabled ActiveX, I'd stop it from working, period.
Which, in hindsight, might have been a good thing. ACCPAC needs a lot of work yet if it's going to run with Least Privilege in mind.
Even Firefox uses ActiveX. Those little form buttons? They're ActiveX controls! In fact, every Windows application uses ActiveX, whether directly or not. I don't know what they're called on MacOS, but on Windows they're called ActiveX controls.
I secure my machines using Least Privilege. ActiveX controls are like most other software on current editions of Windows; it runs as the user that launched it. A hax0r using a bug in an Adobe Reader ActiveX control failed to exploit machines in my care before, and they'll continue to fail. Even the notoriously insecure Firefix (heh, um, Firefox) can work securely this way.
This and this
From article: " Outcomes varied from minute to minute, but clicking on results returned from searches such as this and this (we strongly recommend you don't try this at home)"
I'm frightened... what would happen if I click on the "this" or "this"?
I'm also little excited at the thought of clicking.
I launched both searches, and all of the results, in tabs.. I got one warning about an attack site (which I chose to proceed anyhow) and one website down for repairs (I guess they noticed their site was hacked). The rest looked like fairly typical web pages and didn't appear to do anything malicious.
Now, apart from rkhunter and clamav, I'm not sure what software there is in Ubuntu that I can use to search for the nasty malware that those websites should have installed.
Internet Explorer will emerge winner.
Mark my words Internet Explorer shall emerge as the dominant secure browser because Microsoft is pouring tons of money into its development. Along with reports from security firms, and honey pot computers the software giant has the programmers not to say the money to make its browser top notch. Firefox is at the moment safer then Internet Explorer 7 but the Mozilla Foundation is just that, a foundation that requires volunteers and donations. As for Apple they have the opensource KDE developers that they can work with in order to make Safari safer. I use Camino since it seems to be pretty safe, but there are some trade-offs since Camino doesn't render pages as good as Safari or Firefox does.