DOCSLIB.ORG

Browser Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Browser Security Published on IT Security Office (https://security.duke.edu) Home > Browser Security Browser Security [1] Key Actions Always run an up-to-date version of your web browser. Use Qualys’ BrowserCheck [2] to confirm your browser, plug-ins and system are patched. Browser Privacy Settings - Vendor information regarding browser privacy settings. Chrome [3] Firefox [4] Tips for safe Internet browsing Exploiting browser vulnerabilities has become a popular way to compromise computers.There are several easy ways to secure your preferred browser, through individual browser settings and add-ons. Browsers aim for a balance of performance and security. Features added by the manufacturer to improve performance may make the browser (and the computer) less secure. In addition, the more add-ons you have installed, the more your browsing experience may be impacted or slowed. Best Practices 1. Install and use an ad blocker such as AdBlock Plus [5] or uBlock Origin [6] (for Chrome [7] or Firefox [8]). It's best to use one or the other not both. 2. Do not use the "remember my password" function of a browser or website. Instead, use the LastPass password management service [9] (premium version available free to all Duke faculty, staff and students). Download LastPass [10] install it and create an account, the activate the premium version available at Duke's LastPass page [11]. To remove data that may have already been saved see: Chrome [12] and Firefox [13]. 3. Ensure the pop-up blocker in your browser is enabled (instructions available for Chrome [14] and Firefox [15]). 4. Consider private browsing using Chrome Incognito mode [16] or Firefox private browsing [17]. These options are starting to be available for mobile browsers as well. Firefox has created Focus [18] as a privacy focused browser. 5. If you have Adobe Flash or Oracle Java plugins installed, consider uninstalling them. Many content providers have moved away from these platforms due to ongoing security issues with both. If you need Flash, it's built into Chrome. If something needs Oracle Java, remember it needs to be updated on a regular basis. They continue to be two of the top programs leveraged by malware to compromise computers. For advanced users The items listed below will add additional security to your web browsing, but from time to time may need adjusting for a site to function. You should read what these extensions do, and research each before deciding if they are the right tools for you. They may be available for other browsers, we've only provided links for Chrome and Firefox here. Users should be comfortable with managing Chrome extensions [19] and Firefox add-ons [20] as a prerequisite to using any of the items in this list. Extensions also add to the overall resource use by your browser. Mobile users will find some of these have App corollaries as well. 1. NoScript Firefox [21] only - Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks, "Spectre", "Meltdown" and other JavaScript exploits. 2. UMatrix Chrome [22] and Firefox [23] - Point & click to forbid/allow any class of requests made by your browser. Use it to block scripts, iframes, ads, facebook, etc. 3. IP Whois & Flags Chrome [24] and Firefox [25] - Displays server's location of all websites, and provides Geo location and WHOIS info on toolbar click 4. Privacy Badger Chrome [26] and Firefox [27] - Protects you from trackers as you surf the web. 5. Ghostery Chrome [28] and Firefox [29] - A powerful privacy extension. Block ads, stop trackers and speed up websites. Creating an account allows settings to be shared between machines and browsers. 6. Web of Trust [30] Chrome [31] and Firefox [32] - Instantly know which websites to trust! WOT protects you while you browse, warning you against dangerous sites that host malware, phishing, and more. Creating an account allows settings to be shared between machines and browsers. Can use a users Google credentials for login. Source URL: https://security.duke.edu/browser-security Links [1] https://security.duke.edu/browser-security [2] https://browsercheck.qualys.com/ [3] https://support.google.com/chrome/answer/114836?hl=en&co=GENIE.Platform%3DDesktop [4] https://support.mozilla.org/en-US/kb/firefox-options-preferences-and-settings#w_privacy-security-panel [5] https://adblockplus.org/ [6] https://en.wikipedia.org/wiki/UBlock_Origin [7] https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en [8] https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ [9] https://security.duke.edu/news-alerts/privacy-tips-windows-10 [10] https://lastpass.com/misc_download2.php [11] https://lastpass.com/duke/ [12] https://support.google.com/chrome/answer/95606 [13] https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and- import#w_viewing-and-deleting-passwords [14] https://support.google.com/chrome/answer/95472?co=GENIE.Platform%3DDesktop&hl=en [15] https://support.mozilla.org/en-US/kb/pop-blocker-settings-exceptions-troubleshooting [16] https://support.google.com/chrome/answer/95464?co=GENIE.Platform%3DDesktop&hl=en [17] https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjapqyOlr3cAhVMnOAKHSL2BsYQFjAAegQIDBAB&url=https%3A%2F%2Fsupport.mozilla.org%2Fen- US%2Fkb%2Fprivate-browsing-use-firefox-without-history&usg=AOvVaw13CXfPcCIAd3IjLh76m3aL [18] https://en.wikipedia.org/wiki/Firefox_Focus [19] https://support.google.com/chrome_webstore/answer/2664769?hl=en [20] https://support.mozilla.org/en-US/kb/disable-or-remove-add-ons [21] https://addons.mozilla.org/en-US/firefox/addon/noscript/ [22] https://chrome.google.com/webstore/detail/umatrix/ogfcmafjalglgifnmanfmnieipoejdcf [23] https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjv8Pqlib3cAhUBMd8KHSHVAqQQFjAAegQIERAB&url=https%3A%2F%2Faddons.mozilla.org%2Fen- US%2Ffirefox%2Faddon%2Fumatrix%2F&usg=AOvVaw0U1I4woLUzR4e9izaWQaJ- [24] https://chrome.google.com/webstore/detail/ip-whois-flags-chrome- web/kmdfbacgombndnllogoijhnggalgmkon?hl=en [25] https://addons.mozilla.org/en-US/firefox/addon/country-flags-ip-whois/ [26] https://chrome.google.com/webstore/detail/privacy-badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp [27] https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/ [28] https://chrome.google.com/webstore/detail/ghostery-%E2%80%93-privacy-ad- blo/mlomiejdfkolichcflejclcbmpeaniij [29] https://addons.mozilla.org/en-US/firefox/addon/ghostery/ [30] https://www.mywot.com/ [31] https://chrome.google.com/webstore/detail/wot-web-of-trust-website/bhmmomiinigofkjcapegjjndpbikblnp [32] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/?src=reco.
Load more

Recommended publications
  • A Usability Evaluation of Privacy Add-Ons for Web Browsers
    A Usability Evaluation of Privacy Add-ons for Web Browsers Matthew Corner1, Huseyin Dogan1, Alexios Mylonas1 and Francis Djabri2 1 Bournemouth University, Bournemouth, United Kingdom {i7241812,hdogan,amylonas}@bournemouth.ac.uk 2 Mozilla Corporation, San Francisco, United States of America [email protected] Abstract. The web has improved our life and has provided us with more oppor- tunities to access information and do business. Nonetheless, due to the preva- lence of trackers on websites, web users might be subject to profiling while ac- cessing the web, which impairs their online privacy. Privacy browser add-ons, such as DuckDuckGo Privacy Essentials, Ghostery and Privacy Badger, extend the privacy protection that the browsers offer by default, by identifying and blocking trackers. However, the work that focuses on the usability of the priva- cy add-ons, as well as the users’ awareness, feelings, and thoughts towards them, is rather limited. In this work, we conducted usability evaluations by uti- lising System Usability Scale and Think-Aloud Protocol on three popular priva- cy add-ons, i.e., DuckDuckGo Privacy Essentials, Ghostery and Privacy Badg- er. Our work also provides insights into the users’ awareness of online privacy and attitudes towards the abovementioned privacy add-ons; in particular trust, concern, and control. Our results suggest that the participants feel safer and trusting of their respective add-on. It also uncovers areas for add-on improve- ment, such as a more visible toolbar logo that offers visual feedback, easy ac- cess to thorough help resources, and detailed information on the trackers that have been found. Keywords: Usability, Privacy, Browser Add-ons.
    [Show full text]
  • Browser Security Information
    Browser Security Information Customer security is important to us. Our top priority is to protect the privacy of your personal account information and your financial transactions FirstLine Mortgages is leading the way in Internet banking services and uses several layers of robust security technology to help ensure the confidentiality of transactions across the Internet. The first security level begins with your Web browser. When you access FirstLine Mortgages Internet Site , your browser is checked to ensure that it meets our minimum requirements. Additionally, we only allow customers with browsers that use 128-bit encryption (one of the highest levels of browser security available today) to bank on our web site. But, even with this validation, there are other precautions you should follow to maximize your protection. You have a responsibility to ensure your own security. The browser validation will verify the browser type you are using, your browser encryption level, the version of Netscape or Microsoft browser, as well as Javascript and cookies being enabled. To access -FirstLine Mortgages Internet site , you need to use: • a Netscape browser version 4.06 or better with a minimum 128-bit encryption technology • a Microsoft browser version 4.01 SP2 or better with a minimum 128-bit encryption technology • Javascript (please see below for more information about how to check and enable Javascript support) • Cookies (see below) If your browser does not meet all of these requirements, you will need to upgrade your browser to access the FirstLine Internet Site . To upgrade your browser, select the Netscape or Microsoft button below and download the latest browser version.
    [Show full text]
  • Demystifying Content-Blockers: a Large-Scale Study of Actual Performance Gains
    Demystifying Content-blockers: A Large-scale Study of Actual Performance Gains Ismael Castell-Uroz Josep Sole-Pareta´ Pere Barlet-Ros Universitat Politecnica` de Catalunya Universitat Politecnica` de Catalunya Universitat Politecnica` de Catalunya Barcelona, Spain Barcelona, Spain Barcelona, Spain [email protected] [email protected] [email protected] Abstract—With the evolution of the online advertisement and highly parallel network measurement system [10] that loads tracking ecosystem, content-filtering has become the reference every website using one of the most relevant content-blockers tool for improving the security, privacy and browsing experience of each category and compares their performance. when surfing the Internet. It is also commonly believed that using content-blockers to stop unsolicited content decreases the time We found that, although we can observe some improvements needed for loading websites. In this work, we perform a large- in terms of effective page size, the results do not directly scale study with the 100K most popular websites on the actual translate to gains in loading time. In some cases, there could performance improvements of using content-blockers. We focus even be an overhead to be paid. This is the case for two of the our study on two relevant metrics for measuring the browsing studied plugins, especially in small and fast loading websites. performance; page size and loading time. Our results show that using such tools results in small improvements in terms of page The measurement system and methodology proposed in this size but, contrary to popular belief, it has a negligible impact in paper can also be useful for network and service administrators terms of loading time.
    [Show full text]
  • But Were Afraid to Ask!)
    05_576593 ch01.qxd 10/12/04 9:55 PM Page 9 Chapter 1 All You Ever Wanted to Know about JavaScript (But Were Afraid to Ask!) In This Chapter ᮣ Understanding a working definition of JavaScript ᮣ Dispelling common JavaScript misconceptions ᮣ Getting started with JavaScript tools ᮣ Finding information online aybe you’ve surfed to a Web site that incorporates really cool features, Msuch as ߜ Images that change when you move your mouse over them ߜ Slideshow animations ߜ Input forms with pop-up messages that help you fill in fields correctly ߜ Customized messages that welcome repeat visitors By using JavaScript and the book you’re reading right now you can create all these effects and many more! The Web page in Figure 1-1 shows you an example COPYRIGHTEDof the kinds of things that you canMATERIAL look forward to creating for your own site. A lot has changed since the previous edition of JavaScript For Dummies came out. Perhaps the biggest change is the evolution of DHTML, or dynamic HTML. DHTML refers to JavaScript combined with HTML and cascading style sheets, and it’s a powerful combination you can use to create even more breathtak- ingly cool Web sites than ever before. 05_576593 ch01.qxd 10/12/04 9:55 PM Page 10 10 Part I: Building Killer Web Pages for Fun and Profit Figure 1-1: JavaScript lets you add interactive features to your Web site quickly and easily. Along with this increased power comes increased complexity, unfortunately — but that’s where this new, improved, better-tasting edition of JavaScript For Dummies comes in! Even if you’re not a crackerjack programmer, you can use the techniques and sample scripts in this book to create interactive Web pages bursting with animated effects.
    [Show full text]
  • Maelstrom Web Browser Free Download
    maelstrom web browser free download 11 Interesting Web Browsers (That Aren’t Chrome) Whether it’s to peruse GitHub, send the odd tweetstorm or catch-up on the latest Netflix hit — Chrome’s the one . But when was the last time you actually considered any alternative? It’s close to three decades since the first browser arrived; chances are it’s been several years since you even looked beyond Chrome. There’s never been more choice and variety in what you use to build sites and surf the web (the 90s are back, right?) . So, here’s a run-down of 11 browsers that may be worth a look, for a variety of reasons . Brave: Stopping the trackers. Brave is an open-source browser, co-founded by Brendan Eich of Mozilla and JavaScript fame. It’s hoping it can ‘save the web’ . Available for a variety of desktop and mobile operating systems, Brave touts itself as a ‘faster and safer’ web browser. It achieves this, somewhat controversially, by automatically blocking ads and trackers. “Brave is the only approach to the Web that puts users first in ownership and control of their browsing data by blocking trackers by default, with no exceptions.” — Brendan Eich. Brave’s goal is to provide an alternative to the current system publishers employ of providing free content to users supported by advertising revenue. Developers are encouraged to contribute to the project on GitHub, and publishers are invited to become a partner in order to work towards an alternative way to earn from their content. Ghost: Multi-session browsing.
    [Show full text]
  • Firefox Quantum Remove Recommended by Pocket From
    Firefox Quantum Remove Recommended By Pocket From Lamellar Gary restitutes: he ligatured his recognisance bearishly and dully. Desireless Redford suburbanized very monotonously while Silvester remains dysteleological and unconfined. Skin-deep Algernon never dislodged so westerly or stanchion any floppiness war. Stack traces are now shown for exceptions inside your console. Press to restore system options as which process starts it'll remove by the jailbreak. It is enabled by default in development versions of Firefox, but average in release versions. We have always bear the result in scratchpad and by pocket. Earn an issue that ff is by firefox quantum. You for tweetdeck, or login to network failures due to open source ip address bar at your activity. Ask a question and give support. Who cares about the features? 2012 after Mozilla detected a security flaw and recommended downgrading to. Access the feature for android firefox remove by now called extensions available for recommended by ad blockers work unencumbered by ad is a set to. This will open large number of your browser extensions that pisses me of money if you can either automatically updated their next app integrated into detail of. Dec 01 2017 Firefox Quantum's interface is still extremely customizable thanks to. Where is the back latch on Firefox? Mozilla Firefox or simply Firefox is that free quote open-source web browser developed by the. It will not collect data in private browser windows, and when Mozilla shares the results of its research, it will do so in a way that minimizes the risk of users being identified, Boyd said.
    [Show full text]
  • Web Browser Pioneer Backs New Way to Surf Internet (Update 2) 7 November 2010, by MICHAEL LIEDTKE , AP Technology Writer
    Web browser pioneer backs new way to surf Internet (Update 2) 7 November 2010, By MICHAEL LIEDTKE , AP Technology Writer (AP) -- The Web has changed a lot since Marc Facebook's imprint also is all over RockMelt, Andreessen revolutionized the Internet with the although the two companies' only business introduction of his Netscape browser in the connection so far is Andreessen. He also serves on mid-1990s. That's why he's betting people are Facebook's board of directors. ready to try a different Web-surfing technique on a new browser called RockMelt. RockMelt only works if you have a Facebook account. That restriction still gives RockMelt plenty The browser, available for the first time Monday, is of room to grow, given Facebook has more than built on the premise that most online activity today 500 million users. revolves around socializing on Facebook, searching on Google, tweeting on Twitter and After Facebook users log on RockMelt with their monitoring a handful of favorite websites. It tries to Facebook account information, the person's minimize the need to roam from one website to the Facebook profile picture is planted in the browser's next by corralling all vital information and favorite left hand corner and a list of favorite friends can be services in panes and drop-down windows. displayed in the browser's left hand pane. There's also a built-in tool for posting updates in a pop-up "This is a chance for us to build a browser all over box. again," Andreessen said. "These are all things we would have done (at Netscape) if we had known The features extend beyond Facebook and Twitter.
    [Show full text]
  • Surfing on an Interactive Kiosk
    Surfing on an Interactive Kiosk Leon Anavi Konsulko Group [email protected] [email protected] Yocto Project Summit 2021 Konsulko Group Services company specializing in Embedded Linux and Open Source Software Hardware/software build, design, development, and training services Based in San Jose, CA with an engineering presence worldwide http://konsulko.com/ Yocto Project Summit 2021, Leon Anavi, Surfing on an Interactive Kiosk Agenda Using web browsers for an interactive kiosk Openbox and Surf Building an image Conclusions Q&A Yocto Project Summit 2021, Leon Anavi, Surfing on an Interactive Kiosk Web Browser Market Share Yocto Project Summit 2021, Leon Anavi, Surfing on an Interactive Kiosk Yocto/OE Layer for Mainstream Web Browsers meta-browser https://github.com/OSSystems/meta-browser Available in GitHub under MIT license Sub-layer with recipes for Chromium Sub-layer with recipes for Firefox Yocto Project Summit 2021, Leon Anavi, Surfing on an Interactive Kiosk Surf Web Browser Minimalist web browser No graphical control elements Controlled via keyboard shortcuts or external tools Based on WebKit2/GTK+ Developed by suckless.org Initial release in 2009 Available under MIT License Yocto Project Summit 2021, Leon Anavi, Surfing on an Interactive Kiosk Surf in meta-openembedded/meta-oe Yocto Project Summit 2021, Leon Anavi, Surfing on an Interactive Kiosk Surf Web Browser Requirements: Requires X11 and OpenGL Depends on WebKitGTK, GTK+ 3, glib-2.0 and gcr WebKitGTK is a full-featured port of the WebKit2 rendering
    [Show full text]
  • Whotracks. Me: Shedding Light on the Opaque World of Online Tracking
    WhoTracks.Me: Shedding light on the opaque world of online tracking Arjaldo Karaj Sam Macbeth Rémi Berson [email protected] [email protected] [email protected] Josep M. Pujol [email protected] Cliqz GmbH Arabellastraße 23 Munich, Germany ABSTRACT print users and their devices [25], and the extent to Online tracking has become of increasing concern in recent which these methods are being used across the web [5], years, however our understanding of its extent to date has and quantifying the value exchanges taking place in on- been limited to snapshots from web crawls. Previous at- line advertising [7, 27]. There is a lack of transparency tempts to measure the tracking ecosystem, have been done around which third-party services are present on pages, using instrumented measurement platforms, which are not and what happens to the data they collect is a common able to accurately capture how people interact with the web. concern. By monitoring this ecosystem we can drive In this work we present a method for the measurement of awareness of the practices of these services, helping to tracking in the web through a browser extension, as well as inform users whether they are being tracked, and for a method for the aggregation and collection of this informa- what purpose. More transparency and consumer aware- tion which protects the privacy of participants. We deployed ness of these practices can help drive both consumer this extension to more than 5 million users, enabling mea- and regulatory pressure to change, and help researchers surement across multiple countries, ISPs and browser con- to better quantify the privacy and security implications figurations, to give an accurate picture of real-world track- caused by these services.
    [Show full text]
  • Javascript Security
    Color profile: Generic CMYK printer profile Composite Default screen Complete Reference / JavaScript: TCR / Powell & Schneider / 225357-6 / Chapter 22 Blind Folio 679 22 JavaScript Security ownloading and running programs written by unknown parties is a dangerous proposition. A program available on the Web could work as advertised, but then Dagain it could also install spyware, a backdoor into your system, or a virus, or exhibit even worse behavior such as stealing or deleting your data. The decision to take the risk of running executable programs is typically explicit; you have to download the program and assert your desire to run it by confirming a dialog box or double-clicking the program’s icon. But most people don’t think about the fact that nearly every time they load a Web page, they’re doing something very similar: inviting code—in this case, JavaScript—written by an unknown party to execute on their computer. Since it would be phenomenally annoying to have to confirm your wish to run JavaScript each time you loaded a new Web page, the browser implements a security policy designed to reduce the risk such code poses to you. A security policy is simply a set of rules governing what scripts can do, and under what circumstances. For example, it seems reasonable to expect browsers’ security policies to prohibit JavaScript included on Web pages downloaded from the Internet from having access to the files on your computer. If they didn’t, any Web page you visited could steal or destroy all of your files! In this chapter we examine the security policies browsers enforce on JavaScript embedded in Web pages.
    [Show full text]
  • Draft Clearclick: Effective Client-Side Protection Against UI
    Draft ClearClick: Effective Client-Side Protection Against UI Redressing Attacks Giorgio Maone <giorgio at maone.net> Rev. 2, May 3, 2012 Abstract “User Interface Redressing”, popularized in 2008 as “Clickjacking”, designates a class of attacks, leveraging ambient authority and the coexistence in modern user agents of multiple browsing contexts, which trick an authorized human into interacting with UI elements that actually belong to the targeted web application, but have been obscured or decontextualized by attacker-provided content. This interaction induces unintended application state changes on behalf of the victim – similarly to Cross Site Request Forgery – but defeats traditional CSRF protections, such as form tokens, by exploiting the legitimate web application UI itself, which those countermeasures are meant to validate. The main defense currently adopted by mainstream browsers requires a server- side opt-in signal and prohibits legitimate, widespread use cases such as cross-site subdocument embedding. Another countermeasure immune to these limitations (enabled by default, entirely client-side and designed to allow cross-domain embedding) is the ClearClick module, included in the NoScript add-on for Mozilla Firefox just days after the first Clickjacking announcement. This document describes the rationale behind it and the way it works. Keywords: clickjacking, anti-clickjacking, UI redressing, ClearClick, X-Frame-Options. 1. Introduction In September 2008, Jeremiah Grossman and Robert “RSnake” Hansen canceled a previously announced
    [Show full text]
  • Finding and Installing Firefox Extensions SURF’S UP
    LINUXUSER DeskTOPia: Firefox Add-ons Finding and installing Firefox extensions SURF’S UP If you look around the Internet, you’ll find a number of useful add-ons for Mozilla Firefox. BY ANDREAS KNEIB he Mozilla Firefox browser is de- most useful modules for the new Firefox the module is available. Then just re- signed to easily accommodate ex- 1.5. launch the web browser to enable the Ttensions, and the Firefox commu- tools. nity has responded with a rich assort- Getting Started If Firefox fails to locate working exten- ment of add-on modules. If you’re inter- If your Linux distribution doesn’t have sions, the old extensions will stay dis- ested in higher performance, or even if the latest version of Firefox, you can abled until an update becomes available you just want to check the weather, download it from the Firefox homepage or until you remove the extensions man- you’ll find a Firefox add-on to meet your at [1]. Once you have installed the latest ually. If you still encounter problems, needs. We took a look at some of the version, you can open the Firefox Exten- such as the program crashing because sion Manager (Figure 1) by selecting the browser has stumbled over an in- Tools | Extensions. The Extension Man- compatible or broken module, you can ager is a central tool for plug-in manage- try starting the program in safe mode ment. using the following parameters in the If your Firefox 1.0 version already has command line: firefox -safe-mode. a number of extensions installed before In safe mode, all extensions and you upgrade to Firefox 1.5, the browser themes [4] are disabled, and you can should now show you if the modules are run the Extension Manager to remove compatible with the new version.
    [Show full text]