How secure is your browser?

Topic

New Reply

Catalin Cimpanu (who’s rapidly become one of my favorite security writers), in BleepingComputer’s Google Experiment Tests Top 5 Browsers, Finds Safari
[See the full post at: How secure is your browser?]

8 users thanked author for this post.

walker, Fred, SueW, wdburt1, Microfix, AJNorth, Noel Carboni, MrBrian

Reply | Quote

Replies

Any browser can be a heckuva lot more secure if it’s blocked in the first place from visiting any of the tens of thousands of sites known to host malware, ads, and tracking. The “attack surface” matters less if fewer sites are attacking.

Well-managed lists of such sites are online, freely available, awaiting use by people with some technical savvy.

Use of such lists to blacklist sites can range from augmenting one’s hosts file to use in a custom DNS proxy server to feeding a browser add-on to setting up a firewall.

The online list sources I use:

http://winhelp2002.mvps.org/hosts.txt
http://www.malwaredomainlist.com/hostslist/hosts.txt
http://mirror1.malwaredomains.com/files/immortal_domains.txt
https://adaway.org/hosts.txt
http://someonewhocares.org/hosts/hosts
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext
http://www.quero.at/download/adblock-hosts.zip
http://sysctl.org/cameleon/hosts.win
http://malware-domains.com/files/domains.zip

Also, you can easily make strides toward bad site avoidance by switching over to using Cisco OpenDNS addresses (208.67.222.222 and 208.67.220.220) for DNS resolution instead of the addresses your ISP provides.

-Noel

9 users thanked author for this post.

Steve, SueW, wdburt1, HiFlyer, Microfix, satrow, AJNorth, NetDef, BobbyB

Reply | Quote

Noel, what’s your take on uBlock Origin? It installs (in the browser) extensive blacklists of ad servers and malware sites. In your view, how does that approach compare to populating the hosts file?

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I’ve heard good things about it but I haven’t tried it. I think I looked into it and found it doesn’t work with IE, but I could have crossed things up.

If it blacklists bad sites, every little bit helps!

I personally don’t use the hosts file any more as I have a DNS proxy that does a better job (e.g., it handles wildcarded specifications instead of just single servers).

-Noel

1 user thanked author for this post.

Cybertooth

Reply | Quote

I primarily use Pale Moon x64 with browser session uptimes usually in the region of 5-10 days, occas. to 30+.

I try to split the hosts load with the browser; hosts file blocking against mostly malicious sites and servers and protecting Windows and software connections, with uBlockO mostly dealing with the advertising and browser annoyances – though there is a huge amount of overlap dependent on which lists are in use where.

I also use NoScript but without script blocking, using it primarily to detect/block cross-site scripting (XSS) attempts.

I use HostsMan to control both the hosts on/off + lists updating and the DNS Client, uBlockO is updated by uBlock Origin Updater (Pale Moon only, I think).

Note that Windows users with a large host file will experience slowdowns with connections, that can be ameliorated by disabling the DNS Client Service (or if your network requires the use of the DNS Client Service, by using one of the workarounds listed from about halfway down this page): http://winhelp2002.mvps.org/hosts.htm

2 users thanked author for this post.

Microfix, Cybertooth

Reply | Quote

I think that Noel would like the dynamic filtering of uBlock Origin (which is optional to use) so much that he might change browsers to use it :).

2 users thanked author for this post.

Noel Carboni, Microfix

Reply | Quote

Thanks, MrBrian. I already have a nice installation of Pale Moon to try it in.

I was just reading at the link you posted about dynamic filtering… I’m usually pretty good about deriving what something’s all about by looking at the configuration dialog, but I’m not really sensing what’s “dynamic” about the feature… Is it that it can gate certain sites for specific pages? That sounds handy, though there are very few that I wouldn’t want blocked all the time. Put another way, I don’t feel my current browsing experience is bad.

I definitely need to get to know uBlock better, though. It’s definitely my kind of tool.

-Noel

Reply | Quote

@Noel: You’re welcome :).

From https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide: “Static filtering refers to the filters which comes from the filter lists, i.e. EasyList, EasyPrivacy, hpHosts, etc. Dynamic filtering are those filtering rules which have an air of firewall rules.”

There are three dynamic filtering actions:

Allow = allow, regardless of filter lists

Block = block, regardless of filter lists

Noop = filter lists are used to decide whether to allow or block

Reply | Quote

OK, I’ve got uBlock Origin in Pale Moon.

It’s nice to see the ads/tracking links not even going to the DNS server. It’ll be interesting to see whether I get any “— blacklisted by DNS proxy —” messages while using this combo.

Mission accomplished: Yet another layer of protection in place. Niiiiice. Thanks again for giving me a little project to do this evening, MrBrian!

Now off to figure out how to get everything to open in a new window (I have lots of monitors and I’m not fond of tabs)…

-Noel

1 user thanked author for this post.

MrBrian

Reply | Quote

I really like uBlock Origin.  I’m sure that the static filter lists have saved my bacon more than once. by blocking me from accessing a link that I shouldn’t have clicked on!

It’s nice to see the capability of the dynamic filtering, but I have not used it much.

I generally use uMatrix, from the same developer, for dynamic filtering of sites.

https://github.com/gorhill/uMatrix

Forked and refactored from HTTP Switchboard.  Used together with uBlock Origin, I feel that I’m well covered in the browser now.  https://github.com/gorhill/httpswitchboard/wiki/How-to-use-HTTP-Switchboard:-Two-opposing-views

I find uMatrix easier to wrap my head around, and it has become a replacement for NoScript for me.

Windows 10 Pro 22H2

Reply | Quote

We use some of those hosts lists as blocking rules for our advanced firewalls for my clients, which is a bit easier than pushing out updated hosts files to every workstation – same end result.  There are also some nice tools that can update your hosts file for you for the home or small network budget:  One such that comes in a free (manual updates) or budget edition (automatic updates) is Spybot — https://www.safer-networking.org/features/immunization/

~ Group "Weekend" ~

6 users thanked author for this post.

Fred, Bob99, SueW, wdburt1, Microfix, Noel Carboni

Reply | Quote

I use Spybot along with another app, SpywareBlaster. Both “inoculate” the browsers on your machine in overlapping ways using the hosts file and other measures built into the browsers. SpywareBlaster used to be from Javacool Software, but it’s now put out by Brightfort. the change was made about two years ago, if memory serves.

Reply | Quote

From Two new white papers examine enterprise web browser security (Sep. 19, 2017):

“This complex landscape of enterprise browser security is the topic of two white papers recently published from security engineering firms X41 D-Sec GmbH and Cure53. Both firms have extensive industry experience and expertise in information security, application security, web application security and vulnerability discovery. These two papers leverage that expertise to examine the relative security strengths of the three most popular enterprise browsers: Google Chrome, Microsoft Edge, and Microsoft Internet Explorer (IE).

We [Google] sponsored this research, which was conducted independently by the research firms, to help enterprise IT administrators evaluate which browser best fits their security and functionality needs. To be most useful for enterprises and the public, Cure53 and X41 performed their research and testing using only publicly available information, and clearly documented their comparison methodologies. This enables anyone to recreate their tests, validate their methodologies, and verify their conclusions.”

1 user thanked author for this post.

NetDef

Reply | Quote

More info about these two papers:

https://github.com/cure53/browser-sec-whitepaper

https://github.com/x41sec/browser-security-whitepaper-2017

1 user thanked author for this post.

NetDef

Reply | Quote

I’m a big fan of NoScript for Firefox and uBlock Origin combined.  For Chrome uBlock Origin helps – but I miss NoScript there.

Trouble with both tools is that you need some sense and savvy to adjust settings as needed for specific websites you want to trust.  I’ve tried several times over the years to train end users to utilize these plugins – with mixed success.  They are not quite “install and forget” ready yet.

~ Group "Weekend" ~

4 users thanked author for this post.

Noel Carboni, Microfix, MrBrian, AJNorth

Reply | Quote

Agreed; I consider both NoScript and uBlock Origin essential (in Firefox, my primary browser).

In addition to them, I also install HTTPS Everywhere and Privacy Badger (both from the EFF), and now once again the Web Of Trust (now that they’ve cleaned-up their act).

True, some end users are challenged by these add-ons, but fortunately most of the ones I have dealt with were able to acclimate to them (with a few exceptions…).

As an aside, though not directly a browser security enhancement, nevertheless I also install WinPatrol on all clients’ Windows boxes. It’s very lightweight and adds a worthwhile layer of protection, IMHO.

2 users thanked author for this post.

Microfix, Cybertooth

Reply | Quote

Add me to the tally of uBlock/NoScript users with FF (actually Waterfox at this point, but close enough).

I tried using the two with Privacy Badger too, but it was just too difficult to troubleshoot a site when it fails to work (a regular part of browsing when you use NoScript).  NoScript and uBlock should be more than adequate to block anything PB would have.  With NoScript, the idea is to only allow scripts that are necessary, which the ones PB blocks usually are not.  If I could be sure that the order would be uBlock  => NoScript => PB, I think PB would be fairly trivial to handle (as it would hardly ever have anything to block by the time everything got filtered through the others), but I really have no idea which addons parse first.  I do know that PB caught a lot of things before they got to NoScript, which was less than ideal.

NoScript can be pretty demanding to use, and more so to use to its full (most secure and private) potential, though certainly I think it is worth it (else I would not be using it).  PB is a lot closer to a “fire and forget” solution, and I’d suggest that to anyone not prepared to undergo the NoScript hassle.

PB isn’t completely hassle-free, though; it sometimes does block things that people want, since those things do sometimes track the user.  One example is Disqus, which a lot of people use to comment on posts and articles on various web sites.  It also exhibits behavior that PB interprets as tracking (and it’s probably an accurate assessment, given the state of the web now), which PB then blocks, and thus the function of Disqus that is wanted is blocked along with the tracking.  It is then up to the user to unblock the scripts that PB has blocked to get it working again, which is similar to what NoScript users have to do.  The difference is that ALL scripts have to be sorted this way in NoScript, while only the tracking ones do in PB.

PB, of course, is about blocking trackers, so non-tracking malicious scripts will still get through.  Malvertising delivered through the ad networks should normally be blocked by PB and adblockers, fortunately.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

4 users thanked author for this post.

Microfix, AJNorth, SueW, Cybertooth

Reply | Quote

As an added layer to our browser security, sandboxing the browser/s and specific apps has helped protect the systems along with some of the aforementioned browser extensions. Firejail for Linux works great for our nix machines:

For those who are not aware of Firejail and what it does:

‘Firejail  is  a  SUID sandbox program that reduces the risk of security breaches by restricting the running environment of  untrusted  applications  using  Linux namespaces, seccomp-bpf and Linux capabilities.
It allows a process and all its descendants to have their own private view of  the  globally  shared  kernel resources, such as the network stack, process table, mount table.  Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.’

Windows - commercial by definition and now function...

3 users thanked author for this post.

Capella, AJNorth, Cybertooth

Reply | Quote

Indeed.  For the more technically inclined who wish to go the extra mile (or kilometer), sandboxing can help insulate one’s rig against a multitude of traumatic misfortunes.

For Windows, that would likely be Sandboxie; the free version should suffice for browser protection. (While they reference a Lifehacker article at their site, here is a slightly more recent one, that also addresses virtualization for the Über Tech: How to Safely Test Software Without Messing Up Your System.)

1 user thanked author for this post.

Microfix

Reply | Quote

Is there anything similar to Firejail, preferably open source, for Windows 7?

Reply | Quote

Microsoft finds a security flaw in Chrome and gets $7,500 as a prize
Nothing is perfect and neither is Google Chrome.

3 users thanked author for this post.

walker, NetDef, Bob99

Reply | Quote

ROTFLOL!! Couldn’t have said it better myself! NO browser is perfect, they all are just the one(s) one prefers using!! Outrageously funny that MS gets $7500 paid to them by their immediate competitor in the browser arena!

Now, hopefully, Google will fix the hole MS pointed out in Chrome for the benefit of the regular Chrome users.

Reply | Quote

b wrote:

Microsoft finds a security flaw in Chrome and gets $7,500 as a prize

LOL, the difference I see there is that Microsoft expects us to pay them to find their bugs. 😀

-Noel

Reply | Quote

Sometimes I stop for a second and wonder why we are still using OSes that don’t segregate processes properly and eliminate so many problems much higher in the chain? In an ideal world, I would have a built-in no tweaking required low priviliege browser that can’t write anywhere for casual browsing.  When I want to download, I would flip a switch to lift a restriction to write only in one low privilege download folder. That should be standard.

Anybody here ever tried Qube OS?

 

2 users thanked author for this post.

NetDef, MrBrian

Reply | Quote

AlexEiffel wrote:

Sometimes I stop for a second and wonder why we are still using OSes that don’t segregate processes properly and eliminate so many problems much higher in the chain?

We had that once!  VAX-11/VMS . . .

AlexEiffel wrote:

Anybody here ever tried Qube OS?

No, but now my curiosity is triggered . . . off to research.

~ Group "Weekend" ~

2 users thanked author for this post.

Noel Carboni, AlexEiffel

Reply | Quote

NetDef wrote:

We had that once! VAX-11/VMS . . .

Hear hear! Then the architecture got applied to toy computers… Sigh.

-Noel

Reply | Quote

Opera isn’t even mentioned, guess its less known

Reply | Quote

The project zero team at google finds that google chrome is the most secure browser? I’m shocked! [/sarcasm]

T

Reply | Quote

Anyone else notice that many exploits seem to be targeting extensions these days? Whenever I read about a hacking contest it seems they focus on a extension exploit. Edge is way better then IE but is still connected to Windows too much. Everything has holes, and its more about how fast they are patched.

Reply | Quote

From Browser security beyond sandboxing: “For this project, we set out to examine Google’s Chrome web browser, whose security strategy shows a strong focus on sandboxing. We wanted to see how Chrome held up against a single RCE vulnerability, and try to answer: is having a strong sandboxing model sufficient to make a browser secure?”

1 user thanked author for this post.

NetDef

Reply | Quote

I thought this part was pretty cool:

{snip}. . . the report was awarded a $7,500 bug bounty by Google. Along with other bugs our team reported but didn’t exploit, the total bounty amount we were awarded was $15,837. Google matched this amount and donated $30,000 to Denise Louie Education Center, our chosen organization in Seattle.

Granted it’s a tiny donation relative to their net worth, but still . . .

~ Group "Weekend" ~

Reply | Quote

Microsoft Takes Jab Back at Google’s Security Team
By Catalin Cimpanu | October 18, 2017

 
No good deed remains unpunished, they say, and so is the case of the recent spat between Google and Microsoft’s security teams.

This whole “friendly competition” started last fall when Google’s Project Zero security team started reporting flaw after flaw in Microsoft products like Internet Explorer, Edge, Windows Defender, and the Windows operating system itself.
…

Microsoft can find bugs in Google products too

Microsoft’s Offensive Security Research (OSR) team found the bug and reported the issue to Google in September. Google fixed it in Chrome 61, and even awarded Microsoft researchers a total of $15,837 for their effort, money that Microsoft plans to donate to charity.

According to Microsoft, the vulnerability (CVE-2017-5121) is a high-severity out-of-bounds information leak that can lead to remote code execution inside a user’s browser.

Most of the previous bugs Google researchers found in Microsoft products were found using fuzzers — automated tools for performing fuzzing. Ironically, or not, Microsoft also used a fuzzer to find this bug.

 
Read the full article here

Reply | Quote