Web Security
Vulnerabilities in Internet Software
Web Browsers Weaknesses - E-mail Weaknesses
More About Security Issues
Web Security Affects You
Web security is not a new issue, but increases in e-commerce and the fact that more folks are using broadband (always-connected) access has created the need to improve security. There are serious flaws in some browsers, which is further aggravated by security holes in Windows.
While the information on this page may not be light reading I recommend that you peruse it. To ignore it is to do so at your own peril.
Security Weaknesses in Web Browsers
Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web (the World Wide Web) you are exposed to scripts and more that can be intentionally or unintentionally dangerous.
Web browsers all have some weaknesses and design issues. The severity can be aggravated by how frequently updates are provided to resolve security and other problems as well as how tightly the browser has been tied into the operating system or used for other purposes such as installing software (primarily but not uniquely an issue with Internet Explorer).
Use the Most Recent Browser
Whether you use Internet Explorer or Firefox or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:
- They are more likely to have earlier security concerns addressed.
- Support for newer hardware and operating systems is usually only provided for current-level browsers.
- The more recent a browser, the more likely it is that it will display recent Websites as the designer intended.
- Users are driving demand for newer features which is unlikely to be added to older versions, like tabbed-browsing and Really Simple Syndication (RSS 2.0).
Use Browsers with Better Encryption
If you can meet the license requirements for the 128-bit RSA encryption for Firefox (and other Mozilla-based) or Internet Explorer Web browsers, this will provide better security than the 56-bit international versions. Most financial institutions will insist on this level of encryption before you can use their on-line services.
Internet Explorer 6 Too Old
IE 6 Isn't Safe
“Internet Explorer 6, which according to the W3school Web browser survey, is still used by over 14% of all Web users is the least safe browser out there. How bad is it? There's a group encouraging Web sites to tell you to dump IE 6. Heck, even Microsoft wants you to get rid of IE6 in favor of IE 7 or IE 8.”
— ITworld
IE6 is Holding Back the Web
Internet Explorer 6 is now holding back development of the Web because it doesn't support many of the more recent advances in web design that would allow for a richer user experience. As well, developers are spending a disproportionate amount of time catering to the special requirements to make IE 6 display properly — particularly considering the diminishing user base.
- IE6 No More.
- Bring Down IE Campaign.
- If you're unable to upgrade Internet Explorer (some older multi-function printers only work with IE 6), you should be using an alternate browser (Firefox recommended) for regular use. See Internet Explorer 6 Security and Privacy for more information.
Browser-Security Risks
Browser Security Updates
Information is provided on known weaknesses of various Web browsers in use. Sometimes you need to dig to find this information, but the competition may point out the flaws for you.
- Check for Internet Explorer Security Bulletins for news about flaws.
- Check the Security Updates for Mozilla Products including Firefox and Thunderbird.
- Check for Security, Privacy and Cookies in Opera.
Other Security Information
You may also wish to correct known potential security risks associated with various browsers found by other parties.
- Secunia Research's Online Software Inspector checks for vulnerability in a number of programs including common browsers and e-mail programs. Offline Personal and Corporate Software Inspectors are available.
- Georgi Guninski Security Research's report on Internet Explorer security shows the various vulnerabilities.
Older Browser Issues
While many of the issues with older browsers are intricate enough to only interest Website designers and browser technicians, older browsers will often incorrectly display newer Websites, if they can display them at all.
Microsoft has finally released a standards-compliant version of Internet Explorer (version 8) which also has the ability to view older sites as intended using Compatibility View. These only work with sites built to look good in Internet Explorer at the expense of other browsers and I'd recommend leaving Compatibility View disabled if you have to assess the effectiveness of websites in order to fairly judge them.
Even if you are willing to put up with increasing difficulties with display issues, you cannot walk away from the security dangers of using older, unpatched browsers.
Assessing Your Risk
The following sites can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files if prompted to do so.
- The Scanit Browser Security Test offers several options in selecting their tests and works with most browsers. The Browser Security Test Statistics are interesting.
- Qualys will check Internet Explorer only.
Security Weaknesses in E-mail Programs
Outlook and Outlook Express Not Recommended
There are security issues with all e-mail programs but this is most pronounced in Outlook and Outlook Express because Microsoft products are so tightly tied together.
Outlook Express Obsolete
Because Outlook Express is pre-installed in Windows XP most users continue to use it without checking for any other options.
Outlook Express is a legacy of Internet Explorer 6 — Microsoft has ceased development and support. Windows Mail was included with Windows Vista, but there is no native e-mail program for Windows 7.
Outlook — It Depends
The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.
However, Outlook went back to using MS Word for HTML rendering in Office 2007 and this is no longer true for that version.The caveate about the interlinking of Microsoft products continues to be a security concern as a weakness in any one affects them all.
Recommended E-mail Software
Instead, download and use one of the alternative e-mail programs that meet your needs.
I strongly recommend PocoMail/Barca for the ease of use, especially considering that it was built from the ground up with security in mind or Thunderbird.
Barca is the same as PocoMail except that it adds a calendar and other features similar to Microsoft Outlook.
Thunderbird is a free e-mail program from Mozilla, the same folks that make the Firefox browser. This program would suit users not needing the extras provided in commercial products. If Outlook Express worked for you, then Thunderbird will too.
Reducing Your Risk If Using Outlook Express
If you continue to use Outlook (especially for the PIM features) or Outlook Express you should reduce your risk with the following changes to settings.
Windows Scripting Host enables Outlook Express to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for the majority. You can disable Windows Scripting Host by following the procedures offered on the F-Secure site. There are instructions for removing Windows Scripting Host on Windows 95, 98, 2000 and NT systems.
To turn off ActiveX in Outlook Express:
- From the Tools menu select Options and click on the Security tab. Set the security zone to Restricted Sites. While less convenient it will
- Internet Explorer 6 also has an option which should be checked: "Do not allow attachments to be saved or opened that could potentially be a virus."
To turn off ActiveX in Outlook:
- From the Tools menu select Options and click on the Security tab. Set the security zone for Outlook HTML mail to Restricted Sites.
- You should click through the other tabs and disable all options for ActiveX Controls and plugins and Scripting.
- Do not select Use Microsoft Word as the e-mail editor" in Outlook. The scripting is vulnerable to viruses.
More About Related Issues
Protecting Your Online Identity
The following related pages offer more information about protecting your online identity:
- Passwords and Encryption — Protecting Your Electronic Signature
- Avoiding Spam — Unsolicited E-mails and Mailing Lists
- Identity Theft — Obtaining Information by Deceit
- Proper E-mail Address Etiquette — Using To:, CC: & BCC: Correctly
Securing Your Computer
The following related pages offer more information about securing your computer:
- Security Basics — Preventing Unauthorized Access
- Firewalls — Your First Line of Defense
- ZoneAlarm Security — Recommended Firewall Products
- Anti-Virus Protection — Current Alerts, Strategies, Hoaxes & Software
- Your Privacy At Risk — Spyware Detection & Removal
- Passwords and Encryption — Protecting Your Electronic Signature
- Windows Security — Vulnerabilities in Windows
www.RussHarvey.bc.ca/resources/websecurity.html
Updated: July 23, 2010
