Vulnerabilities in Internet Software
Web Browser Weaknesses
Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web you are exposed to scripts and more that can be dangerous (intentionally or otherwise).
Today's websites bring together information from many sources — most no longer controlled by the site owners. This increases the vulnerability to site visitors.
Use a Modern Browser
Choose a browser based upon its security rather than its popularity or its being the default included on your computer. Be sure to update it regularly. I recommend Firefox because Mozilla is committed to protecting your privacy
Not only do older browsers contain known vulnerabilities, but they are not capable of delivering an optimal experience on modern websites.
Internet Explorer Obsolete
Do NOT use Internet Explorer. It is obsolete and unsafe to use.
Too many programs — including tax software — call IE directly rather than the default browser chosen by the user. Malware, spyware and viruses do the same, making it a major gateway to infection.
All Browsers Have Weaknesses
Web browsers all have some weaknesses and design issues.
The severity can be aggravated by how frequently security updates are provided as well as how tightly the browser has been tied into the operating system.
Which Browser Is the Most Secure?
Most studies are commissioned by the browser developer using tests that focus on the areas where the developer's product will perform the best.
NSS Labs research showed that no single browser uniformly protected users against the majority of security threats and privacy risks. If no single browser is bulletproof, the next best thing is to make your favorite browser is as secure as possible.
— Check Point blog
No matter which browser you choose, you'll want to ensure that you've optimally secured the browser. Here's five suggestions:
- Configure your browser's security and privacy settings.
- Keep your browser updated. Replace it when no longer supported.
- Be aware of security alerts.
- Enter you're browser's name + “security” into Google Alerts to be notified of any emerging security issues.
- Be cautious when installing browser extensions.
- Uninstall vulnerable plugins (they are being replaced with safer technologies).
- Install and maintain a current and effective security suite on your computer and devices.
Infected websites, misleading downloads and potentially unwanted programs (PUPs) are primary sources of infection.
Update Your Browser
Whether you use Firefox or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:
- They are more likely to have security concerns addressed.
- Only current-level browsers provide support for newer hardware and operating systems.
- The more recent a browser, the more likely it is that it will display recent websites as the designer intended.
- Newer features are unlikely to be added to older versions.
Firefox Rapid Deployment
In 2011, Firefox began releasing a new major version of Firefox approximately every six weeks.
While this rapid deployment has been annoying (particularly for Firefox extension developers) it has many benefits:
- RapidRelease has allowed for the integration new security and technology improvements without an all-or-nothing risk at any stage.
- Nightly builds allow developers to experiment with features without endangering the end user's experience.
- Problems that couldn't be fixed with a minor release could be fixed within six weeks rather than the year or longer typical for other browsers.
Chrome and Microsoft Edge automatically update their browsers using methods that may be less noticeable than Firefox's. Major updates are generally released annually.
Check for Updates
Most modern browser check for updates when you inquire about which version they are running or provide a “check for updates” option:
- Windows: Help ⇒ About
- Mac: program name ⇒ About.
Newer browsers also have 128-bit RSA encryption which provides better security than what was available in legacy browsers. Most financial institutions will insist on this level of encryption before you can use their on-line services.
However, better encryption won't help if you use poor password hygiene and lack security software with multifaceted and realtime protection.
HTTPS Secure Protocol
HTTPS is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication.
The principal motivations for HTTPS are authentication of the accessed website, and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks, and the bidirectional encryption of communications between a client and server protects the communications against eavesdropping and tampering.
The Electronic Freedom Foundation developed HTTPS Everywhere to check for the availability of an HTTPS server where it is available.
Using HTTPS is strongly recommended, particularly where you're sharing public WiFi like in a coffee shop and wherever you're exchanging private information.
HTTPS Can Be Spoofed
While HTTPS is secure, those running corporate and educational institutions can spoof the authentic sites' security certificate.
The presence of the unbroken key or the lock icon on the web browser once meant that the connection between the user and the remote web server was authenticated, secured, encrypted…and not susceptible to any form of eavesdropping by any third party. Unfortunately, that is no longer always true.
Private institutions—corporations, schools, and other organizations—have responded to this “loss of visibility” into every detail of their employees' and students' Internet usage by deploying new technology known as “HTTPS Proxy Appliances.” These devices circumvent our most basic assumption and guarantee of Internet browser privacy and security.
— Gibson Research Corporation
Find out if your employer, school, or Internet provider eavesdropping on your secure connections using a fingerprinting comparison of the authentic and actual security certificates.
- How to tell if my connection is secure from Firefox. See also Mixed content blocking in Firefox.
- Look for See if the site is using a secure connection (SSL) in Google Chrome Website settings (you'll need to scroll down the page).
Providing HTTPS Access
For website owners to provide HTTPS access they need to purchase a security certificate, an added expense that only major sites have been able to afford until recently.
Many sites use external resources like PayPal to process credit card information to avoid the need for more robust security on their own servers.
The cost of the security certificates has dropped dramatically in recent years and Google encouraged the widespread use of HTTPS by downgrading HTTP sites in search results.
Browser Security Risks
The various web browsers in use all have known weaknesses. Check these sites for news about security vulnerabilities and privacy issues:
- Security Advisories and Bulletins has news about vulnerabilities in Microsoft products.
- Mozilla Security lists security and privacy issues in Mozilla products.
- Chromium Security for issues with Google Chrome and other Chromium-based browsers.
- Opera's Security Blog.
Browser Built-in Password Managers Insecure
Your browser's prompt to save passwords is convenient but the process used is unsecure and should be replaced with a secure password manager.
I recommend LastPass. The basic service is free but the premium version offers more features.
Unfortunately, poor security leaves the end-user and their private data vulnerable to exploitation.
The interactive forms found on 92% of the analyzed websites expose data to on average 17 different domains. This data includes personally identifiable information (PII), login credentials, card transactions, and medical records.
— Tech Republic
Other Security Information
Qualys BrowserCheck will perform a security analysis of your browsers and plugins. It can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files even if prompted to do so.
While many of the issues with older browsers only interest website designers and browser technicians, older browsers will often incorrectly display newer websites, if they can display them at all.
Microsoft's Internet Explorer is retained because it still has the ability to view older sites as intended using Compatibility View. However, even Microsoft no longer classifies Internet Explorer as a modern (or safe) browser.
Even if you are willing to put up with increasing difficulties with display issues, you cannot continue to ignore the security risks of using older, unpatched browsers.
Recommended Email Software
Don't use obsolete (unsupported) email programs. New vulnerabilities remain unpatched in unsupported software.
To avoid security issues with email software, download and use one of my recommended email programs.
Alternatively, move to webmail with the following caveats:
- You need to use a long and strong password because webmail is always accessible world-wide.
- Any time that you don't pay for a product or a service, your private information is the currency. You become the product.
- Because your mail is not on your computer, you have no control over where it is stored. You can lose access to it at any time.
- The “cloud” is not some island in the sky. Many large servers have been hacked. Security is seldom as strong as that provided for their own content.
There are security issues with all email programs but this is most pronounced in Outlook because Microsoft products are so tightly tied together.
Older Versions Less Safe
The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.
Starting with Office 2007, Outlook went back to using MS Word for HTML rendering (what allows for bold, italics and coloured text) to address this issue.
However, the interlinking of Microsoft products continues to be a security concern as a weakness in any one component affects them all, including Windows itself.
Reducing Your Risk
If you continue to use Outlook (especially for the PIM features) you should reduce your risk by ensuring you're running a version that is currently supported by Microsoft with updates and patches.
- Install Office updates.
- Check for Office for Mac updates automatically.
- Search the Microsoft Support Lifecycle to learn when each version of Office (and therefore Outlook) loses support from Microsoft.
Disable Windows Scripting Host
Windows Scripting Host enables Outlook to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for them. You can safely disable Windows Scripting Host.
Connect Using HTTPS
Using the HTTPS protocol is strongly recommended for your webmail service. It is critical when you're sharing public WiFi like in a coffee shop.
A VPN is strongly recommended when you don't control the network you're using.
Use Secure Passwords
Be sure to use unique secure passwords for your Webmail account and enable multi-factor authentication. Webmail accounts are accessible to anyone with your email address plus password.
Choose Your Own Recovery Questions
The sorts of questions used for recovery of lost passwords are often posted by their users on social media sites without the owner realizing the risks to both identity theft and to the methods commonly used to recover lost passwords.
Where possible, choose your own security questions so anyone attempting to hack your account by requesting a password reset will have a harder time obtaining the answers.