Web Security
Vulnerabilities in Internet Software
Web Browsers Weaknesses - E-mail Weaknesses
More About Security Issues
Web Security Affects You
Web security is not a new issue, but increases in e-commerce and the fact that more folks are using broadband (always-connected) access has created the need to improve security. There are serious flaws in some browsers, which is further aggravated by security holes in Windows.
While the information on this page may not be light reading I recommend that you peruse it. To ignore it is to do so at your own peril.
Security Weaknesses in Web Browsers
Web browsers by their very nature are suseptible to security weaknesses. While visiting sites on the Web (the World Wide Web) you are exposed to scripts and more that can be intentionally or unintentionally dangerous.
Web browsers all have some weaknesses and design issues. The severity can be agravated by how frequently updates are provided to resolve security and other problems as well as how tightly the browser has been tied into the operating system or used for other purposes such as installing software (primarliy but not uniquely an issue with Internet Explorer).
Use the Most Recent Browser
Whether you use Internet Explorer or Firefox or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:
- They are more likely to have earlier security concerns addressed.
- Support for newer hardware and operating systems is usually only provided for current-level browsers.
- The more recent a browser, the more likely it is that it will display recent Websites as the designer intended.
- Users are driving demand for newer features which is unlikely to be added to older versions, like tabbed-browsing and Really Simple Syndication (RSS 2.0).
Use Browsers with Better Encryption
If you can meet the license requirements for the 128-bit RSA encryption for Firefox (and other Mozilla-based) or Internet Explorer Web browsers, this will provide better security than the 56-bit international versions. Most financial institutions will insist on this level of encryption before you can use their on-line services.
Internet Explorer 6 Too Old
IE 6 Isn't Safe
“Internet Explorer 6, which according to the W3school Web browser survey, is still used by over 14% of all Web users is the least safe browser out there. How bad is it? There's a group encouraging Web sites to tell you to dump IE 6. Heck, even Microsoft wants you to get rid of IE6 in favor of IE 7 or IE 8.”
— ITworld
IE6 is Holding Back the Web
Internet Explorer 6 is now holding back development of the Web because it doesn't support many of the more recent advances in web design that would allow for a richer user experience. As well, developers are spending a disproportionate amount of time catering to the special requirements to make IE 6 display properly — particularly considering the diminshing user base.
- IE6 No More.
- Bring Down IE Campaign.
- If you're unable to upgrade Internet Explorer (some older multi-function printers only work with IE 6), you should be using an alternate browser (Firefox recommended) for regular use. See Internet Explorer 6 Security and Privacy for more information.
Browser-Security Risks
Browser Security Updates
Information is provided on known weaknesses of various Web browsers in use. Sometimes you need to dig to find this information, but the competition may point out the flaws for you.
- Check for Internet Explorer Security Bulletins for news about flaws.
- Check the Security Updates for Mozilla Products including Firefox and Thunderbird.
- Check for Security, Privacy and Cookies in Opera.
Other Security Information
You may also wish to correct known potential security risks associated with various browsers found by other parties.
- Secunia Research's Online Software Inspector checks for vulnerability in a number of programs including common browsers and e-mail programs. Offline Personal and Corporate Software Inspectors are available.
- Georgi Guninski Security Research's report on Internet Explorer security shows the various vulnerabilities.
Older Browser Issues
While many of the issues with older browsers are intricate enough to only interest Website designers and browser technicians, older browsers will often incorrectly display newer Websites, if they can display them at all.
Microsoft has finally released a standards-compliant version of Internet Explorer (version 8) which also has the ability to view older sites as intended using Compatiblity View. These only work with sites built to look good in Internet Explorer at the expense of other browsers and I'd recommend leaving Compatibility View disabled if you have to assess the effectiveness of websites in order to fairly judge them.
Even if you are willing to put up with increasing difficulties with display issues, you cannot walk away from the security dangers of using older, unpatched browsers.
Assessing Your Risk
The following sites can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files if prompted to do so.
- The Scanit Browser Security Test offers several options in selecting their tests and works with most browsers. The Browser Security Test Statistics are interesting.
- Qualys will check Internet Explorer only.
Security Weaknesses in E-mail Programs
There are security issues with all e-mail programs but this is most pronounced in Outlook and Outlook Express. Because they are pre-installed in Windows most users continue to use them without checking for any other options. Note: Outlook Express is no longer available and Microsoft has ceased development and support. Vista users had Windows Mail available to them, but there is no native e-mail program for Windows 7.
Outlook and Outlook Express suffer from the same weaknesses as the Internet Explorer family. I'd recommend not using these products but to download and use one of the alternative e-mail programs that meet your needs. I strongly recommend PocoMail/Barca for the ease of use, especially considering that it was built from the ground up with security in mind or PocoMail/Barca.
If you continue to use Outlook (especially for the PIM features) or Outlook Express you should reduce your risk with the following changes to settings.
Windows Scripting Host enables Outlook Express to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for the majority. You can disable Windows Scripting Host by following the procedures offered on the F-Secure site. There are instructions for removing Windows Scripting Host on Windows 95, 98, 2000 and NT systems.
To turn off ActiveX in Outlook Express:
- From the Tools menu select Options and click on the Security tab. Set the security zone to Restricted Sites. While less convenient it will
- Internet Explorer 6 also has an option which should be checked: "Do not allow attachments to be saved or opened that could potentially be a virus."
To turn off ActiveX in Outlook:
- From the Tools menu select Options and click on the Security tab. Set the security zone for Outlook HTML mail to Restricted Sites.
- You should click through the other tabs and disable all options for ActiveX Controls and plug-ins and Scripting.
- Do not select Use Microsoft Word as the e-mail editor" in Outlook. The scripting is vulnerable to viruses.
More About Security Issues
The following related pages offer more information about security:
- Security Basics—Preventing Unauthorized Access
- Firewalls—Your First Line of Defense
- ZoneAlarm Security— Recommended Firewall Products
- Your Privacy At Risk—Spyware Detection & Removal
- Passwords and Encryption—Protecting Your Electronic Signature
- Anti-Virus Protection—Current Alerts, Strategies, Hoaxes & Software
- Windows Security—Vulnerabilities in Windows
- Avoiding Spam & Copyright Abuses—Promote Responsible Net Commerce
www.RussHarvey.bc.ca/resources/websecurity.html
Updated: January 31, 2010
