Web Security
Vulnerabilities in Internet Software
Browser Weaknesses | Email Weaknesses | Security Affects You
Web Browser Weaknesses
Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web you are exposed to scripts and more that can be intentionally or unintentionally dangerous.
Today's websites bring together information from many sources, many of which are often not controlled by the site owners. This increases the vulnerability to site visitors.
The fact that Internet Explorer warns you about the risks of running content located on your computer will tell that can also be unsafe. Since malware, spyware, viruses, etc. can assume the presence of Internet Explorer on any Windows system, they often call it directly (a major weakness in Windows) rather than requesting the default browser.
All Browsers Have Weaknesses
Web browsers all have some weaknesses and design issues. The severity can be aggravated by how frequently updates are provided to resolve security and other problems as well as how tightly the browser has been tied into the operating system or used for other purposes such as installing software (primarily but not uniquely an issue with Internet Explorer).
Which Browser Is the Most Secure?
This is not an easy question to answer as most studies are commissioned by the browser developer where tests will focus on the areas where their browser will perform the best.
NSS Labs research showed that no single browser uniformly protected users against the majority of security threats and privacy risks. If no single browser is bulletproof, the next best thing is to make your favorite browser is as secure as possible. — ZoneAlarm Blog
No matter the browser you're using, you'll want to ensure that you've secured the browser the best you can. Here's five suggestions:
- Configure your browser's security and privacy settings. See Securing Your Web Browser from U.S. Homeland Security.
- Keep your browser updated. See browser downloads.
- Be aware of security alerts. Enter you're browser's name + “security” into Google Alerts to be notified of any emerging security issues.
- Be cautious when installing plug-ins (like Adobe Reader and Flash) and (like Privacy Badger and Firebug). Regularly check your plugins for vulnerabilities, particularly Flash, Java and Adobe Reader.
- Ensure you have a current and effective security suite installed on your computer. Infected websites, misleading downloads and potentially unwanted programs (PUPs) are primary sources of infection.
Update Your Browser
Whether you use Firefox, Internet Explorer or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:
- They are more likely to have security concerns addressed.
- Support for newer hardware and operating systems is usually only provided for current-level browsers.
- The more recent a browser, the more likely it is that it will display recent websites as the designer intended.
- Users are driving demand for newer features which is unlikely to be added to older versions.
Firefox Rapid Deployment
In 2011, Firefox began a program of RapidRelease program. This meant relatively frequent updates (every six weeks) to new major versions of Firefox compared to other browsers.
While the rapid deployment of major upgraded to Firefox over the last while has been annoying, particularly for Firefox addon developers. Both Chrome and Internet Explorer use automatically update their browsers using methods that may be less noticeable than RapidRelease.
- RapidRelease has also allowed for the integration new security and technology improvements without an all-or-nothing risk at any stage.
- Nightly builds allow developers to experiment with features without endangering the average user.
- Problems noticed in any upgrade that couldn't be fixed with a minor release could be fixed within 6 weeks rather than a year or longer (as is typical of browser release schedules).
Better Encryption
Newer browsers also have 128-bit RSA encryption which provides better security than what was available in much older browsers. Most financial institutions will insist on this level of encryption before you can use their on-line services.
However, better encryption won't help if you use poor passwords and don't use security software like firewalls, antivirus and antispyware (often bundled together).
HTTPS Secure Protocol
The HTTPS using the SSL protocol is safer than unsecured HTTP:
SSL, or Secure Sockets Layer, is the predecessor to TLS, or Transport Layer Security. SSL has three versions, which are all considered insecure due to flaws in their design. TLS was created to address the weaknesses in the SSL protocol.
It is worth noting that SSL is still in use today — in spite of it's inherent weaknesses. The support for SSL v2.0/3.0 in a servers SSL/TLS stack is intended for backwards compatibility. Of course this support was the target of the POODLE attack. — DZone
HTTPS Everywhere
Many privacy advocates have advocated using the HTTPS protocol for some time now. The Electronic Freedom Foundation developed HTTPS Everywhere to check for the availability of an HTTPS server where it is available.
Using HTTPS is strongly recommended, particularly where you're sharing public Wi-Fi like in a coffee shop and wherever you're exchanging private information.
HTTPS Can Be Spoofed
While HTTPS is secure, those running corporate and educational institutions can spoof the authentic sites' security certificate.
The presence of the unbroken key or the lock icon on the web browser once meant that the connection between the user and the remote web server was authenticated, secured, encrypted…and not susceptible to any form of eavesdropping by any third party. Unfortunately, that is no longer always true.
Private institutions—corporations, schools, and other organizations—have responded to this “loss of visibility” into every detail of their employees' and students' Internet usage by deploying new technology known as “HTTPS Proxy Appliances.” These devices circumvent our most basic assumption and guarantee of Internet browser privacy and security. — Gibson Research Corporation
Find out if your employer, school, or Internet provider eavesdropping on your secure connections using a fingerprinting comparison of the authentic and actual security certificates.
- How to tell if my connection is secure from Firefox. See also Mixed content blocking in Firefox.
- Look for See if the site is using a secure connection (SSL) in Google Chrome Website settings (you'll need to scroll down the page).
- How to redirect an HTTP connection to HTTPS for Outlook Web Access clients from Microsoft.
Providing HTTPS Access
For website owners to provide HTTPS access they need to purchase a security certificate, an added expense that only major sites have been able to afford.
Many sites use external resources like PayPal to process credit card information for exactly this reason.
Google is now encouraging the widespread use of HTTPS and the cost of the security certificates has dropped dramatically in recent years.
Browser Security Risks
Information is provided on known weaknesses of various web browsers in use. Sometimes you need to dig to find this information, but the competition may point out the flaws for you.
- Check for Internet Explorer Security Bulletins for news about flaws.
- Check the Security Updates for Mozilla Products including Firefox and Thunderbird.
- Check for Security, Privacy and Cookies in Opera.
- How browsers store your passwords (and why you shouldn't let them).
Other Security Information
You may also wish to correct known potential security risks associated with various browsers found by other parties.
- Secunia Research's Online Software Inspector checks for vulnerability in a number of programs including common browsers and email programs. Offline Personal and Corporate Software Inspectors are available.
Older Browsers
While many of the issues with older browsers are intricate enough to only interest website designers and browser technicians, older browsers will often incorrectly display newer websites, if they can display them at all.
Microsoft finally released a standards-compliant version of Internet Explorer (starting with version 8) which still has the ability to view older sites as intended using Compatibility View. These only work with sites built to look good in Internet Explorer at the expense of other browsers so I'd recommend leaving Compatibility View disabled if you are assessing the effectiveness of websites in order to fairly judge them.
Even if you are willing to put up with increasing difficulties with display issues, you cannot continue to ignore the security risks of using older, unpatched browsers.
Assessing Risks
The following sites can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files even if prompted to do so.
- Qualys will check your browser for vulnerabilities.
- Check to see if your Firefox plugins are up to date.
Email Weaknesses
Recommended Email Software
To avoid security issues with email software, download and use one of my recommended email programs or move to webmail (ensuring that your passwords are secure enough).
Outlook Problematic
There are security issues with all email programs but this is most pronounced in Outlook because Microsoft products are so tightly tied together.
Older Versions Less Safe
The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.
Starting with Office 2007, Outlook went back to using MS Word for HTML rendering (what allows for bold, italics and coloured text) to address this issue.
However, the interlinking of Microsoft products continues to be a security concern as a weakness in any one component affects them all, including Windows itself.
Reducing Your Risk
If you continue to use Outlook (especially for the PIM features) you should reduce your risk by ensuring you're running a version that is currently supported by Microsoft with updates and patches.
Support for Office 2003 and earlier has expired. Office 2007 loses support on October 10, 2017.
- Keep your computer updated by using Microsoft Update.
- Search the Microsoft Support Lifecycle to learn when each version of Office (and therefore Outlook) loses support from Microsoft.
Disable Windows Scripting Host
Windows Scripting Host enables Outlook to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for them. You can safely disable Windows Scripting Host.
Webmail Security
Connect Using HTTPS
Using the HTTPS protocol is strongly recommended for your webmail service, particularly where you're sharing public Wi-Fi like in a coffee shop.
Use Secure Passwords
If you choose webmail, be sure to use unique secure passwords. Webmail accounts are accessible to anyone.
Choose Your Own Recovery Questions
The sorts of questions used for recovery of lost passwords are often posted by their users on Facebook and other social media sites without the owner realizing the risks to both identity theft and to the methods commonly used to recover lost passwords.
Where possible, choose your own security questions so anyone attempting to hack your account by requesting a password reset will have a harder time obtaining the answers.
www.RussHarvey.bc.ca/resources/websecurity.html
Updated: September 10, 2016
