« Encypting folders in OS X | Main | Tightening Java »

Monday, March 25, 2013

Increasing Browser Security

There's been a rash of browser exploits the last year or two, mostly centered around Java, Adobe's PDF Reader, and Flash. "Best Practices"® suggests disabling all of them, which is fine, but doesn't really address what most people need, which is a way to use plugins they need when they need them, but block them the rest of the time. It is important to keep in mind that much malware gets picked up when visiting major websites. A cracker finds a hole in a web site, and then inserts a piece of malware that can take advantage of security flaws in Java, Adobe's PDF Reader, or Flash, and your browser executes that code as your visit the website. Major sites such as NBC have hosted such malware, and for a while, Google served up malware in sponsored ads.

Here's what I've come up with, for what it's worth, as a means for reducing my risk, in term of tightening Firefox and Chrome. I'm not an expert, but these measures are pretty easy to do and can help reduce your exposure.

Use Two Browsers

Don't use the browser you like to use for general web surfing for anything that is a security risk. If you use chrome for your daily dose of youtube and facebook, use Firefox or Opera for your banking and accessing personnel data. Using a second computer or a virtual machine is much safer, but isn't really practical for most folks. Firefox and Chrome are arguable the two most secure browsers at the time of this writing.

Keep everything up to date

It's hard to keep everything up to date, but you need to do that. An easy way is to use Qualys's Browsercheck. Make that your homepage, and then when you start the browser it will scan your system for updates to your browser and the plugins you have installed.

Use OpenDNS or Google's DNS servers with your laptop

OpenDNS provides free DNS services, and one thing they do is redirect you from known or suspected malware sites and help protect you from phishing schemes. Googles's DNS service also offers some additional protections compared to the typical ISP. UNC's campus DNS servers also provide this kind of protection.

Browser Settings

Enable Click to Play

For a couple of years now, I've used the >ClicktoPlugin extension with Safari. This blocks flash, html5, java and other popular plugins from automatically loading, and presents an icon that you can click to play the plugin if you so wish.

I just found out that this same functionality is available in Firefox and Chrome, see this Krebs on Security blog article for more info, but here's how to enable it in Firefox (I'm quoting Krebs):

Open a browser window and type “about:config” without the quotes. In the search box at the top of the resulting window, paste the follow “plugins.click_to_play”, again without the quotes. Double click the entry that shows up so that its setting under the “value” column changes from “false” to “true” (hat tip to F-Secure.com for this advice).

And in Chrome

From the main menu, click Settings, then in the search box type “click to play,” and click the highlighted box labeled “content settings.” In content settings, scroll down to the “plug-ins” section, and change the default from “run automatically” to “click to play”.

Block Popup Windows

Use Firefox's preferences to block popup windows. If you need popups for a particular site, you can enable an exception. Chrome <a href="https://support.google.com/chrome/bin/answer.py?hl=en&amp;answer=95472">does this by default</a>.

Plugins

There are a lot of plugins out there you can use to help tighten security. Here's a short list of the ones that seem to me to be the least intrusive and easiest to use. Powerusers and Geeks will likely want to use more sophisticated plugins.

LastPass

LastPass is a free service and plugin that stores your passwords, encrypted, in a little database, and will fill in web forms with your id and password as well as other data. You can choose to store the passwords in their cloud, or you can store them locally, and it can sync passwords between browsers. Similar programs are KeePass and 1Password. The real advantage to this approach is that you use a long, strong password that is unique to each web site and service you visit, and you don't have to remember any of them. When you need a password, you unlock the vault, LastPass fills it in for you, and you're done.

HTTPS Everywhere

The Electronic Freedom Foundation has made a plugin that will test and use HTTPS if it is availabe for all the web sites you visit. It's called HTTPS Everywhere, and is available for Chrome and Firefox. This will help keep your broswer sessions from being sniffed or highjacked when you're in the coffee shop.

Web of Trust

Web of Trust uses user feedback to rate how trust worthy a given web site is. The backend is social, so what it relies on is what other people think about the web site you're about to visit.

QuickJava

QuickJava for Firefox makes it easy to enable and disable Java, Javascript, Cookies, Image Animations, Flash, Silverlight, Images, Stylesheets and Proxy from the either the Statusbar or Toolbar. It is not as complete a solution as NoScript for Firefox or NotScripts for Chrome, but does not require as much technical savvy to use. You left click on an icon to enable the plugin or option, blue means enabled, red means enabled. This is a good one to use if you know, for example, that you need Java but don't ever need Flash. But be aware that this extension blocks plugins silently, you won't be prompted to load those that are blocked.

Additional Info

For additional settings, see the following web sites:

CERT on Securing Your Web Browser.

Cornell's IT on Enhance Your Web Browser's Security.

Thanks to Alex Everett for helping with this article.

Posted by bil at 10:42 AM
Edited on: Tuesday, March 26, 2013 12:43 PM
Categories: