Think about it: the browser is the gateway to access today’s online world.
If you frequent social networking sites such as Facebook, LinkedIn, and Twitter, you’re going to use a browser. Into cloud computing? Dropbox, Amazon Webservices? Blogging through WordPress, Tumblr, Blogger?
The web-browser is also the primary means of attack by crackers and criminals. There are still millions of machines subverted by botnets and other software to attack companies and individuals, primarily by exploiting bad code written into web browsers.
Internet Explorer is the main target, but Firefox and Safari have also come under attack. Exploits known as “zero-day” attacks are those vulnerabilities unknown until a malicious attack comes to light – they have to be patched after the fact, during which time the browser is at risk.
The headlines for securing any web-browser are:
- Update regularly.
- Lock down macro-based content – mostly Flash.
- Manage cookies.
- Verify the sites you’re visiting.
Microsoft itself is pushing users to migrate away from Internet Explorer 5, 6 and 7. IE8 isn’t great, while IE9 and 10 are current for Windows 7 and 8. That’s a lot of version numbers. The older things get, the more vulnerable they are.
Windows update will push a version of IE appropriate to your Windows version. You will get automatic updates of Firefox direct from Mozilla and Safari from Apple.
Many of these updates contain patches to close vulnerabilities discovered in the browser’s code.
Browser add-ons – plugins and extensions – offer many cool features but themselves may be compromised when attacked: like a badly secured side-gate to your property. Before you download an add-on, do a bit of research about the provenance of the download; source and quality.
Macro-Based Content: Flash and Silverlight
There are some sites (Micrsoft) that still demand you install Silverlight in order to view all content. If you can avoid it, don’t – Silverlight is dying. So is Flash, but it was already much more prevalent an there’s a vast amount of Flash-based content. The Flashblock extension is useful because it allows you to determine exactly when you want to run Flash in your browser.
Flashblock doesn’t let Flash run automatically, replacing any flash content with a blue and grey icon; click on the blue f in the icon and the Flash content is loaded.
In Firefox, you can go to Tools, Add-ons then to the Preferences to configure Flashblock. This includes exempting sites, for example,any that you use regularly and want the Flash to run automatically.
Cookies are tracking code stored in your browser’s cache. Often just simple text files, cookies are useful for storing preferences for websites. Whilst not in themselves evil, some cookies are persistent and very detailed. I frequently delete all the cookies on my machines and start again. I don’t notice much inconvenience – it’s not like I’ve deleted stored passwords or browser history. If that’s too blunt an action, Firefox has several Good add-ons for managing cookies:
BetterPrivacy offers fine-grain control to manage various types of cookies, including long-term and non-expiring cookies.
Blindly browsing new websites and linked addresses can be exciting, but also very dangerous. Browser add-ons such as ShowIP, IP WOT Safe Browsing Tool will tell you more about a specific site, starting with the IP address to determine the site’s country of origin.
The WOT (Web of Trust) Safe Browsing tool helps to verify sites as legitimate by using social networking; thousands of users rate sites and report problems. By participating in the Web of Trust, you are helping the community – and yourself – browse more safely.
There is yet more we can do to inhibit attacks through the browser and we’ll take a look in more detail soon. AJS