Vulnerabilities in Internet Software

Browser Weaknesses | Email Weaknesses | Why It Matters

Web Browser Weaknesses

Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web you are exposed to scripts and more that can be dangerous (intentionally or otherwise).

Today's websites bring together information from many sources — most no longer controlled by the site owners. This increases the vulnerability to site visitors.

Use a Modern Browser

Choose a browser based upon its security rather than its popularity or its being the default included on your computer. Be sure to update it regularly. I recommend Firefox because Mozilla is committed to protecting your privacy

Not only do older browsers contain known vulnerabilities, but they are not capable of delivering an optimal experience on modern websites.

Internet Explorer Obsolete

Do NOT use Internet Explorer. It is obsolete and unsafe to use.

Too many programs — including tax software — call IE directly rather than the default browser chosen by the user. Malware, spyware and viruses do the same, making it a major gateway to infection.

All Browsers Have Weaknesses

Web browsers all have some weaknesses and design issues.

The severity can be aggravated by how frequently security updates are provided as well as how tightly the browser has been tied into the operating system.

Which Browser Is the Most Secure?

Most studies are commissioned by the browser developer using tests that focus on the areas where the developer's product will perform the best.

NSS Labs research showed that no single browser uniformly protected users against the majority of security threats and privacy risks. If no single browser is bulletproof, the next best thing is to make your favorite browser is as secure as possible.
— Check Point blog

No matter which browser you choose, you'll want to ensure that you've optimally secured the browser. Here's five suggestions:

Configure your browser's security and privacy settings.
- Securing Your Web Browser from U.S. Homeland Security
- How to beef up your Chrome and Firefox security from CNET
Keep your browser updated. Replace it when no longer supported.
Be aware of security alerts.
- Enter you're browser's name + “security” into Google Alerts to be notified of any emerging security issues.
Be cautious when installing browser extensions.
Uninstall vulnerable plugins (they are being replaced with safer technologies).
Install and maintain a current and effective security suite on your computer and devices.

Infected websites, misleading downloads and potentially unwanted programs (PUPs) are primary sources of infection.

Update Your Browser

Whether you use Firefox or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:

They are more likely to have security concerns addressed.
Only current-level browsers provide support for newer hardware and operating systems.
The more recent a browser, the more likely it is that it will display recent websites as the designer intended.
Newer features are unlikely to be added to older versions.

Firefox Rapid Deployment

In 2011, Firefox began releasing a new major version of Firefox approximately every six weeks.

While this rapid deployment has been annoying (particularly for Firefox extension developers) it has many benefits:

RapidRelease has allowed for the integration new security and technology improvements without an all-or-nothing risk at any stage.
Nightly builds allow developers to experiment with features without endangering the end user's experience.
Problems that couldn't be fixed with a minor release could be fixed within six weeks rather than the year or longer typical for other browsers.

Chrome and Microsoft Edge automatically update their browsers using methods that may be less noticeable than Firefox's. Major updates are generally released annually.

Check for Updates

Most modern browser check for updates when you inquire about which version they are running or provide a “check for updates” option:

Windows: Help ⇒ About
Mac: program name ⇒ About.

Better Encryption

Newer browsers also have 128-bit RSA encryption which provides better security than what was available in legacy browsers. Most financial institutions will insist on this level of encryption before you can use their on-line services.

However, better encryption won't help if you use poor password hygiene and lack security software with multifaceted and realtime protection.

HTTPS Secure Protocol

HTTPS is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication.

The principal motivations for HTTPS are authentication of the accessed website, and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks, and the bidirectional encryption of communications between a client and server protects the communications against eavesdropping and tampering.
— Wikipedia

HTTPS Everywhere

The Electronic Freedom Foundation developed HTTPS Everywhere to check for the availability of an HTTPS server where it is available.

Using HTTPS is strongly recommended, particularly where you're sharing public WiFi like in a coffee shop and wherever you're exchanging private information.

HTTPS Can Be Spoofed

While HTTPS is secure, those running corporate and educational institutions can spoof the authentic sites' security certificate.

The presence of the unbroken key or the lock icon on the web browser once meant that the connection between the user and the remote web server was authenticated, secured, encrypted…and not susceptible to any form of eavesdropping by any third party. Unfortunately, that is no longer always true.

Private institutions—corporations, schools, and other organizations—have responded to this “loss of visibility” into every detail of their employees' and students' Internet usage by deploying new technology known as “HTTPS Proxy Appliances.” These devices circumvent our most basic assumption and guarantee of Internet browser privacy and security.
— Gibson Research Corporation

Find out if your employer, school, or Internet provider eavesdropping on your secure connections using a fingerprinting comparison of the authentic and actual security certificates.

How to tell if my connection is secure from Firefox. See also Mixed content blocking in Firefox.
Look for See if the site is using a secure connection (SSL) in Google Chrome Website settings (you'll need to scroll down the page).

Providing HTTPS Access

For website owners to provide HTTPS access they need to purchase a security certificate, an added expense that only major sites have been able to afford until recently.

Many sites use external resources like PayPal to process credit card information to avoid the need for more robust security on their own servers.

The cost of the security certificates has dropped dramatically in recent years and Google encouraged the widespread use of HTTPS by downgrading HTTP sites in search results.

Browser Security Risks

The various web browsers in use all have known weaknesses. Check these sites for news about security vulnerabilities and privacy issues:

Security Advisories and Bulletins has news about vulnerabilities in Microsoft products.
Mozilla Security lists security and privacy issues in Mozilla products.
Chromium Security for issues with Google Chrome and other Chromium-based browsers.
Opera's Security Blog.

Browser Built-in Password Managers Insecure

Your browser's prompt to save passwords is convenient but the process used is unsecure and should be replaced with a secure password manager.

I recommend LastPass. The basic service is free but the premium version offers more features.

JavaScript Issues

JavaScript is used by many websites to improve the user experience by making them more interactive. Most common are log-in and information-gathering forms.

Unfortunately, poor security leaves the end-user and their private data vulnerable to exploitation.

The interactive forms found on 92% of the analyzed websites expose data to on average 17 different domains. This data includes personally identifiable information (PII), login credentials, card transactions, and medical records.
— Tech Republic

Major websites plagued by lack of effective security against JavaScript vulnerabilities.

Other Security Information

Firefox, like many modern browsers, has replaced vulnerable plugins that can slow or crash your browser with new features built into HTML5.

Qualys BrowserCheck will perform a security analysis of your browsers and plugins. It can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files even if prompted to do so.

Older Browsers

While many of the issues with older browsers only interest website designers and browser technicians, older browsers will often incorrectly display newer websites, if they can display them at all.

Microsoft's Internet Explorer is retained because it still has the ability to view older sites as intended using Compatibility View. However, even Microsoft no longer classifies Internet Explorer as a modern (or safe) browser.

Even if you are willing to put up with increasing difficulties with display issues, you cannot continue to ignore the security risks of using older, unpatched browsers.

Return to top

Email Weaknesses

Recommended Email Software

Don't use obsolete (unsupported) email programs. New vulnerabilities remain unpatched in unsupported software.

To avoid security issues with email software, download and use one of my recommended email programs.

Alternatively, move to webmail with the following caveats:

You need to use a long and strong password because webmail is always accessible world-wide.
Any time that you don't pay for a product or a service, your private information is the currency. You become the product.
Because your mail is not on your computer, you have no control over where it is stored. You can lose access to it at any time.
The “cloud” is not some island in the sky. Many large servers have been hacked. Security is seldom as strong as that provided for their own content.

Outlook Problematic

There are security issues with all email programs but this is most pronounced in Outlook because Microsoft products are so tightly tied together.

Older Versions Less Safe

The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.

Starting with Office 2007, Outlook went back to using MS Word for HTML rendering (what allows for bold, italics and coloured text) to address this issue.

However, the interlinking of Microsoft products continues to be a security concern as a weakness in any one component affects them all, including Windows itself.

Reducing Your Risk

If you continue to use Outlook (especially for the PIM features) you should reduce your risk by ensuring you're running a version that is currently supported by Microsoft with updates and patches.

Install Office updates.
Check for Office for Mac updates automatically.
Search the Microsoft Support Lifecycle to learn when each version of Office (and therefore Outlook) loses support from Microsoft.

Disable Windows Scripting Host

Windows Scripting Host enables Outlook to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for them. You can safely disable Windows Scripting Host.

Webmail Security

Connect Using HTTPS

Using the HTTPS protocol is strongly recommended for your webmail service. It is critical when you're sharing public WiFi like in a coffee shop.

A VPN is strongly recommended when you don't control the network you're using.

Use Secure Passwords

Be sure to use unique secure passwords for your Webmail account and enable multi-factor authentication. Webmail accounts are accessible to anyone with your email address plus password.

Choose Your Own Recovery Questions

The sorts of questions used for recovery of lost passwords are often posted by their users on social media sites without the owner realizing the risks to both identity theft and to the methods commonly used to recover lost passwords.

Where possible, choose your own security questions so anyone attempting to hack your account by requesting a password reset will have a harder time obtaining the answers.

Why It Matters

In the last 20 years websites have moved from static information sites to interactive and dynamic sites, many of which import content directly from external sources.

Your computers, mobile phones, tablets and other connected devices are an integral part of the Internet whenever they are powered on.

You're Being Tracked

The surveillance economy has replaced traditional markets. Data collection is widespread and your personal profile is the currency.

Scripts and analytics abound.

Your Data Shared with Advertisers

The old days of embedded ads is gone forever.

Sites submit whatever data they have on you to numerous third-party advertisers to bid in realtime for targeted ads. This is why they whine about ad blockers.

Few of these third-party sites have a privacy policy; many are more interested in collecting your profile than bidding for the advertising space.

What's worse, Google and Facebook control some 90% of the advertising revenue and the rest scramble for the crumbs while blaming ad blockers for reduced revenues.

Vulnerabilities Abound

There are serious flaws in some browsers, which is further aggravated by security holes in Windows and serious flaws in some websites.

Governments and hackers alike take advantage of zero-day exploits.

Many of these go unreported and remain unfixed so these malicious actors can continue to use them.

Security Software

In today's always-connected world, you need excellent realtime security software combined with a best-effort to remove and patch vulnerabilities via software updates.

Security Settings

Web browsers cannot protect you adequately unless you learn how to optimize their security settings and beef up security where needed.

Your choice of browser matters.

Choose a browser for privacy and security, not because it is already on your device or because it is popular. Google Chrome has replaced Internet Explorer as the default browser for many, exposing them to extensive data tracking and profiling.

Whichever browser you choose, follow these security principles:

Use only a currently-supported operating system
Install security updates.
Keep your software (apps) current.
Replace software when it is no longer supported.

Newer hardware supports better encryption and security features such as biometric login.

User Error

The largest vulnerability remains the end user who refuses to use strong passwords, isn't vigilant of phishing attempts and is careless with security protocols.

You must discipline yourself to be careful when choosing your downloads, what links you click on as well as what you share on social media and elsewhere.

To remain safe, learn more about preventing unauthorized access and security strategies.

Related Resources

Related resources on this site:

or check the resources index.

Return to top
RussHarvey.bc.ca/resources/websecurity.html
Updated: June 18, 2022