News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • How secure is your browser?

    Posted on September 22nd, 2017 at 08:29 woody Comment on the AskWoody Lounge

    Catalin Cimpanu (who’s rapidly become one of my favorite security writers), in BleepingComputer’s Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs

    Google’s automatic fuzzer, named Comato, finds more bugs in Edge than in Internet Explorer. Chrome’s best, of course, followed by Firefox.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums How secure is your browser?

    This topic contains 31 replies, has 15 voices, and was last updated by

     Kirsty 1 year, 5 months ago.

    • Author
      Posts
    • #133927 Reply

      woody
      Da Boss

      Catalin Cimpanu (who’s rapidly become one of my favorite security writers), in BleepingComputer’s Google Experiment Tests Top 5 Browsers, Finds Safari
      [See the full post at: How secure is your browser?]

      8 users thanked author for this post.
    • #133934 Reply

      Noel Carboni
      AskWoody_MVP

      Any browser can be a heckuva lot more secure if it’s blocked in the first place from visiting any of the tens of thousands of sites known to host malware, ads, and tracking. The “attack surface” matters less if fewer sites are attacking.

      Well-managed lists of such sites are online, freely available, awaiting use by people with some technical savvy.

      Use of such lists to blacklist sites can range from augmenting one’s hosts file to use in a custom DNS proxy server to feeding a browser add-on to setting up a firewall.

      The online list sources I use:

      http://winhelp2002.mvps.org/hosts.txt
      http://www.malwaredomainlist.com/hostslist/hosts.txt
      http://mirror1.malwaredomains.com/files/immortal_domains.txt
      https://adaway.org/hosts.txt
      http://someonewhocares.org/hosts/hosts
      http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext
      http://www.quero.at/download/adblock-hosts.zip
      http://sysctl.org/cameleon/hosts.win
      http://malware-domains.com/files/domains.zip

      Also, you can easily make strides toward bad site avoidance by switching over to using Cisco OpenDNS addresses (208.67.222.222 and 208.67.220.220) for DNS resolution instead of the addresses your ISP provides.

      -Noel

      9 users thanked author for this post.
      • #133937 Reply

        Cybertooth
        AskWoody Lounger

        Noel, what’s your take on uBlock Origin? It installs (in the browser) extensive blacklists of ad servers and malware sites. In your view, how does that approach compare to populating the hosts file?

        1 user thanked author for this post.
        • #133947 Reply

          Noel Carboni
          AskWoody_MVP

          I’ve heard good things about it but I haven’t tried it. I think I looked into it and found it doesn’t work with IE, but I could have crossed things up.

          If it blacklists bad sites, every little bit helps!

          I personally don’t use the hosts file any more as I have a DNS proxy that does a better job (e.g., it handles wildcarded specifications instead of just single servers).

          -Noel

          1 user thanked author for this post.
        • #133987 Reply

          satrow
          AskWoody MVP

          I primarily use Pale Moon x64 with browser session uptimes usually in the region of 5-10 days, occas. to 30+.

          I try to split the hosts load with the browser; hosts file blocking against mostly malicious sites and servers and protecting Windows and software connections, with uBlockO mostly dealing with the advertising and browser annoyances – though there is a huge amount of overlap dependent on which lists are in use where.

          I also use NoScript but without script blocking, using it primarily to detect/block cross-site scripting (XSS) attempts.

          I use HostsMan to control both the hosts on/off + lists updating and the DNS Client, uBlockO is updated by uBlock Origin Updater (Pale Moon only, I think).

          Note that Windows users with a large host file will experience slowdowns with connections, that can be ameliorated by disabling the DNS Client Service (or if your network requires the use of the DNS Client Service, by using one of the workarounds listed from about halfway down this page): http://winhelp2002.mvps.org/hosts.htm

          2 users thanked author for this post.
        • #134006 Reply

          MrBrian
          AskWoody_MVP

          I think that Noel would like the dynamic filtering of uBlock Origin (which is optional to use) so much that he might change browsers to use it :).

          2 users thanked author for this post.
          • #134084 Reply

            Noel Carboni
            AskWoody_MVP

            Thanks, MrBrian. I already have a nice installation of Pale Moon to try it in.

            I was just reading at the link you posted about dynamic filtering… I’m usually pretty good about deriving what something’s all about by looking at the configuration dialog, but I’m not really sensing what’s “dynamic” about the feature… Is it that it can gate certain sites for specific pages? That sounds handy, though there are very few that I wouldn’t want blocked all the time. Put another way, I don’t feel my current browsing experience is bad.

            I definitely need to get to know uBlock better, though. It’s definitely my kind of tool.

            -Noel

            • #134122 Reply

              MrBrian
              AskWoody_MVP

              @Noel: You’re welcome :).

              From https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide: “Static filtering refers to the filters which comes from the filter lists, i.e. EasyList, EasyPrivacy, hpHosts, etc. Dynamic filtering are those filtering rules which have an air of firewall rules.”

              There are three dynamic filtering actions:

              Allow = allow, regardless of filter lists

              Block = block, regardless of filter lists

              Noop = filter lists are used to decide whether to allow or block

              • This reply was modified 1 year, 5 months ago by
                 MrBrian.
              • This reply was modified 1 year, 5 months ago by
                 MrBrian.
              • This reply was modified 1 year, 5 months ago by
                 MrBrian.
              • This reply was modified 1 year, 5 months ago by
                 MrBrian.
          • #134092 Reply

            Noel Carboni
            AskWoody_MVP

            OK, I’ve got uBlock Origin in Pale Moon.

            It’s nice to see the ads/tracking links not even going to the DNS server. It’ll be interesting to see whether I get any “— blacklisted by DNS proxy —” messages while using this combo.

            Mission accomplished: Yet another layer of protection in place. Niiiiice. Thanks again for giving me a little project to do this evening, MrBrian!

            Now off to figure out how to get everything to open in a new window (I have lots of monitors and I’m not fond of tabs)…

            -Noel

            • This reply was modified 1 year, 6 months ago by
               Noel Carboni.
            1 user thanked author for this post.
          • #134176 Reply

            JohnW
            AskWoody Plus

            I really like uBlock Origin.  I’m sure that the static filter lists have saved my bacon more than once. by blocking me from accessing a link that I shouldn’t have clicked on!

            It’s nice to see the capability of the dynamic filtering, but I have not used it much.

            I generally use uMatrix, from the same developer, for dynamic filtering of sites.

            https://github.com/gorhill/uMatrix

            Forked and refactored from HTTP Switchboard.  Used together with uBlock Origin, I feel that I’m well covered in the browser now.  https://github.com/gorhill/httpswitchboard/wiki/How-to-use-HTTP-Switchboard:-Two-opposing-views

            I find uMatrix easier to wrap my head around, and it has become a replacement for NoScript for me.

      • #133945 Reply

        NetDef
        AskWoody_MVP

        We use some of those hosts lists as blocking rules for our advanced firewalls for my clients, which is a bit easier than pushing out updated hosts files to every workstation – same end result.  There are also some nice tools that can update your hosts file for you for the home or small network budget:  One such that comes in a free (manual updates) or budget edition (automatic updates) is Spybot — https://www.safer-networking.org/features/immunization/

        ~ Group "Weekend" ~

        6 users thanked author for this post.
        • #134010 Reply

          Bob99
          AskWoody Lounger

          I use Spybot along with another app, SpywareBlaster. Both “inoculate” the browsers on your machine in overlapping ways using the hosts file and other measures built into the browsers. SpywareBlaster used to be from Javacool Software, but it’s now put out by Brightfort. the change was made about two years ago, if memory serves.

    • #133939 Reply

      MrBrian
      AskWoody_MVP

      From Two new white papers examine enterprise web browser security (Sep. 19, 2017):

      “This complex landscape of enterprise browser security is the topic of two white papers recently published from security engineering firms X41 D-Sec GmbH and Cure53. Both firms have extensive industry experience and expertise in information security, application security, web application security and vulnerability discovery. These two papers leverage that expertise to examine the relative security strengths of the three most popular enterprise browsers: Google Chrome, Microsoft Edge, and Microsoft Internet Explorer (IE).

      We [Google] sponsored this research, which was conducted independently by the research firms, to help enterprise IT administrators evaluate which browser best fits their security and functionality needs. To be most useful for enterprises and the public, Cure53 and X41 performed their research and testing using only publicly available information, and clearly documented their comparison methodologies. This enables anyone to recreate their tests, validate their methodologies, and verify their conclusions.”

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      1 user thanked author for this post.
    • #133943 Reply

      NetDef
      AskWoody_MVP

      I’m a big fan of NoScript for Firefox and uBlock Origin combined.  For Chrome uBlock Origin helps – but I miss NoScript there.

      Trouble with both tools is that you need some sense and savvy to adjust settings as needed for specific websites you want to trust.  I’ve tried several times over the years to train end users to utilize these plugins – with mixed success.  They are not quite “install and forget” ready yet.

      ~ Group "Weekend" ~

      4 users thanked author for this post.
      • #133952 Reply

        AJNorth
        AskWoody Plus

        Agreed; I consider both NoScript and uBlock Origin essential (in Firefox, my primary browser).

        In addition to them, I also install HTTPS Everywhere and Privacy Badger (both from the EFF), and now once again the Web Of Trust (now that they’ve cleaned-up their act).

        True, some end users are challenged by these add-ons, but fortunately most of the ones I have dealt with were able to acclimate to them (with a few exceptions…).

        As an aside, though not directly a browser security enhancement, nevertheless I also install WinPatrol on all clients’ Windows boxes. It’s very lightweight and adds a worthwhile layer of protection, IMHO.

        2 users thanked author for this post.
        • #133968 Reply

          Ascaris
          AskWoody_MVP

          Add me to the tally of uBlock/NoScript users with FF (actually Waterfox at this point, but close enough).

          I tried using the two with Privacy Badger too, but it was just too difficult to troubleshoot a site when it fails to work (a regular part of browsing when you use NoScript).  NoScript and uBlock should be more than adequate to block anything PB would have.  With NoScript, the idea is to only allow scripts that are necessary, which the ones PB blocks usually are not.  If I could be sure that the order would be uBlock  => NoScript => PB, I think PB would be fairly trivial to handle (as it would hardly ever have anything to block by the time everything got filtered through the others), but I really have no idea which addons parse first.  I do know that PB caught a lot of things before they got to NoScript, which was less than ideal.

          NoScript can be pretty demanding to use, and more so to use to its full (most secure and private) potential, though certainly I think it is worth it (else I would not be using it).  PB is a lot closer to a “fire and forget” solution, and I’d suggest that to anyone not prepared to undergo the NoScript hassle.

          PB isn’t completely hassle-free, though; it sometimes does block things that people want, since those things do sometimes track the user.  One example is Disqus, which a lot of people use to comment on posts and articles on various web sites.  It also exhibits behavior that PB interprets as tracking (and it’s probably an accurate assessment, given the state of the web now), which PB then blocks, and thus the function of Disqus that is wanted is blocked along with the tracking.  It is then up to the user to unblock the scripts that PB has blocked to get it working again, which is similar to what NoScript users have to do.  The difference is that ALL scripts have to be sorted this way in NoScript, while only the tracking ones do in PB.

          PB, of course, is about blocking trackers, so non-tracking malicious scripts will still get through.  Malvertising delivered through the ad networks should normally be blocked by PB and adblockers, fortunately.

          Group "L" (KDE Neon User Edition 5.15.3 & Kubuntu 18.04).

          4 users thanked author for this post.
    • #133965 Reply

      Microfix
      AskWoody MVP

      As an added layer to our browser security, sandboxing the browser/s and specific apps has helped protect the systems along with some of the aforementioned browser extensions. Firejail for Linux works great for our nix machines:

      For those who are not aware of Firejail and what it does:

      ‘Firejail  is  a  SUID sandbox program that reduces the risk of security breaches by restricting the running environment of  untrusted  applications  using  Linux namespaces, seccomp-bpf and Linux capabilities.
      It allows a process and all its descendants to have their own private view of  the  globally  shared  kernel resources, such as the network stack, process table, mount table.  Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.’

      | W10 Pro x64 1803 | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64/ XP Pro O/L
        Can't see the wood for the trees? Look again!
      3 users thanked author for this post.
      • #134020 Reply

        AJNorth
        AskWoody Plus

        Indeed.  For the more technically inclined who wish to go the extra mile (or kilometer), sandboxing can help insulate one’s rig against a multitude of traumatic misfortunes.

        For Windows, that would likely be Sandboxie; the free version should suffice for browser protection. (While they reference a Lifehacker article at their site, here is a slightly more recent one, that also addresses virtualization for the Über Tech: How to Safely Test Software Without Messing Up Your System.)

        1 user thanked author for this post.
      • #133973 Reply

        anonymous

        Is there anything similar to Firejail, preferably open source, for Windows 7?

    • #133986 Reply

      b
      AskWoody Plus

      Microsoft finds a security flaw in Chrome and gets $7,500 as a prize
      Nothing is perfect and neither is Google Chrome.

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

      3 users thanked author for this post.
      • #134011 Reply

        Bob99
        AskWoody Lounger

        ROTFLOL!! Couldn’t have said it better myself! NO browser is perfect, they all are just the one(s) one prefers using!! Outrageously funny that MS gets $7500 paid to them by their immediate competitor in the browser arena!

        Now, hopefully, Google will fix the hole MS pointed out in Chrome for the benefit of the regular Chrome users.

      • #134240 Reply

        Noel Carboni
        AskWoody_MVP

        Microsoft finds a security flaw in Chrome and gets $7,500 as a prize

        LOL, the difference I see there is that Microsoft expects us to pay them to find their bugs. 😀

        -Noel

    • #134087 Reply

      AlexEiffel
      AskWoody_MVP

      Sometimes I stop for a second and wonder why we are still using OSes that don’t segregate processes properly and eliminate so many problems much higher in the chain? In an ideal world, I would have a built-in no tweaking required low priviliege browser that can’t write anywhere for casual browsing.  When I want to download, I would flip a switch to lift a restriction to write only in one low privilege download folder. That should be standard.

      Anybody here ever tried Qube OS?

       

      2 users thanked author for this post.
      • #134244 Reply

        NetDef
        AskWoody_MVP

        Sometimes I stop for a second and wonder why we are still using OSes that don’t segregate processes properly and eliminate so many problems much higher in the chain?

        We had that once!  VAX-11/VMS . . .

        Anybody here ever tried Qube OS?

        No, but now my curiosity is triggered . . . off to research.

        ~ Group "Weekend" ~

        2 users thanked author for this post.
        • #134471 Reply

          Noel Carboni
          AskWoody_MVP

          We had that once! VAX-11/VMS . . .

          Hear hear! Then the architecture got applied to toy computers… Sigh.

          -Noel

    • #133956 Reply

      anonymous

      Opera isn’t even mentioned, guess its less known

    • #134050 Reply

      anonymous

      The project zero team at google finds that google chrome is the most secure browser? I’m shocked! [/sarcasm]

      T

    • #134112 Reply

      anonymous

      Anyone else notice that many exploits seem to be targeting extensions these days? Whenever I read about a hacking contest it seems they focus on a extension exploit. Edge is way better then IE but is still connected to Windows too much. Everything has holes, and its more about how fast they are patched.

    • #138752 Reply

      MrBrian
      AskWoody_MVP

      From Browser security beyond sandboxing: “For this project, we set out to examine Google’s Chrome web browser, whose security strategy shows a strong focus on sandboxing. We wanted to see how Chrome held up against a single RCE vulnerability, and try to answer: is having a strong sandboxing model sufficient to make a browser secure?”

      1 user thanked author for this post.
      • #138821 Reply

        NetDef
        AskWoody_MVP

        I thought this part was pretty cool:

        {snip}. . . the report was awarded a $7,500 bug bounty by Google. Along with other bugs our team reported but didn’t exploit, the total bounty amount we were awarded was $15,837. Google matched this amount and donated $30,000 to Denise Louie Education Center, our chosen organization in Seattle.

        Granted it’s a tiny donation relative to their net worth, but still . . .

        ~ Group "Weekend" ~

    • #138836 Reply

      Kirsty
      Da Boss

      Microsoft Takes Jab Back at Google’s Security Team
      By Catalin Cimpanu | October 18, 2017

       
      No good deed remains unpunished, they say, and so is the case of the recent spat between Google and Microsoft’s security teams.

      This whole “friendly competition” started last fall when Google’s Project Zero security team started reporting flaw after flaw in Microsoft products like Internet Explorer, Edge, Windows Defender, and the Windows operating system itself.


      Microsoft can find bugs in Google products too

      Microsoft’s Offensive Security Research (OSR) team found the bug and reported the issue to Google in September. Google fixed it in Chrome 61, and even awarded Microsoft researchers a total of $15,837 for their effort, money that Microsoft plans to donate to charity.

      According to Microsoft, the vulnerability (CVE-2017-5121) is a high-severity out-of-bounds information leak that can lead to remote code execution inside a user’s browser.

      Most of the previous bugs Google researchers found in Microsoft products were found using fuzzers — automated tools for performing fuzzing. Ironically, or not, Microsoft also used a fuzzer to find this bug.

       
      Read the full article here

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: How secure is your browser?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: