my bank will ONLY work in the explorer browser
does not leave me with too may options to avoid it with a clean, alternative browser...
A security researcher has developed a proof-of-concept browser botnet extension to illustrate the perils of what he describes as a "looming menace". Zoltan Balazs of Deloitte Hungary developed the code to illustrate the risk from malicious browser add-ons, which he argues anti-virus vendors are ill-equipped to defend against …
And, not being funny, but I used that as the reason I gave when I changed banks TEN YEARS AGO and thought it perfectly valid even then. NatWest literally only allowed you to login with Netscape (which was old even then) or IE and I told them they could fix it or lose me. Probably didn't even notice my loss, but I cited it as the reason I moved to a provider who DID recognise what online security actually means.
Requiring IE is not an excuse for sloppy programming practices. And if you don't program sloppily, you don't need to enforce the user's browser.
My own bank (and even my pre-pay credit card company, mobile phone company, etc.) all let me login using my browser of choice (Opera), on the device of my choice (Android phone, laptop, PC) and never complains (unless I use a seriously out-of-date version of something with known security problems that affect the banking component, as they should).
Hell, they keep trying to offer me a free version of McAfee, despite the fact that I don't use Windows half the time I'm logging in, but I put that down to some marketing bright-spark - but it's not compulsory, which I put down to some IT bright-spark.
Would you tolerate a bank that says they'll only allow you to manage your account if you do it from a public place where everyone can hear you? Then don't tolerate sloppy web programming posing as pseudo-security.
Browser developers should adopt an App Store-style model and deny the installation of browser add-ons obtained from outside this ecosystem by default
Doesn't Chrome already do this, at least in the current version?
I seem to recall a couple of weeks ago trying to install an extension that wasn't from their store and being blocked because of that fact?
Yes, I think that Chrome blocks installations (certainly of extensions) from outside the Chrome store, unless you put some effort in to working around it by going to chrome://extensions and drag&dropping the downloaded extension in to it.
That worked for me installing a greasemonkey script, anyway.
I'm not sure how thoroughly curated the Chrome store is though. If it's like Play store, anyone can upload an extension.
Chrome does all of that, though its blacklist is a list of extension identifiers. Nothing stops the bad guys from generating a bazillion of those -- so long as they don't distribute through the Web Store. I wonder if any antivirus companies have signatures for malicious extensions?
How many add-ons are there for IE anyway? Hardly any, hence on this front IE is more secure than the rest.
I actually use FF and Chrome as my main browsers (FF until it grids to a halt then in exasperation switch to Chrome). For banking I use IE9 without any add-ons except LastPass and which is isolated from man-in-the-middle and other interferences by Prevx / WRSA and OpenDNScrypt.
I will definitely get flamed for using IE for banking, but I do know what I am doing unlike some of you lot.
But I see that you're using Prevx, a product designed to help protect against man-in-the-browser attacks and as far as I can see makes IE more secure than either FF or Chrome.
I've been using Prevx on a bunch of student and teenagers laptops for over a year now and none (as yet) have required any attention other than a forced update of components not automatically updated over the web. The other security product on these systems is naturally Microsoft's as it gets quietly updated as part of Windows/Microsoft update.
This post has been deleted by its author
1) Most browsers already implement the App Store model for extensions distribution. Google even went as far as to make installing extensions (or even user scripts!) from other sources a major pain in the butt.
2) This isn't, of course, a complete solution to the problem, since malicious extensions WILL find their way in the app store - as has happened with Android apps in Google Play.
3) Where exactly is the problem for the anti-virus developers?! The extension arrives as a file. Any file can be scanned before the browser is allowed to access it. If it contains known malware, access to it will be denied. If the malware is not known, it doesn't matter whether the virus scanner could scan it or not. Even the already installed extensions exist as files (or sets of files) on the file system of the computer and can be scanned.
About the only things worth noticing in this idea are that browser extensions are cross-platform (but, then, so is JavaScript - which is no coincidence, since browser extensions are normally written in JavaScript) and that they allow easy interception of the operation of the browser.
The idea isn't even new; I remember somebody from Symantec covering this issue (as well as the "widgeds" issue - as in Yahoo! Widgets, etc.) on some Virus Bulletin conference years ago.