Web Security

Vulnerabilities in Internet Software

Web Browsers Weaknesses - E-mail Weaknesses
More About Security Issues

Web Security Affects You

Web security is not a new issue, but increases in e-commerce and the fact that more folks are using broadband (always-connected) access has created the need to improve security. There are serious flaws in some browsers, which is further aggravated by security holes in Windows.

While the information on this page may not be light reading I recommend that you peruse it. To ignore it is to do so at your own peril.

Security Weaknesses in Web Browsers

Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web (the World Wide Web) you are exposed to scripts and more that can be intentionally or unintentionally dangerous.

Web browsers all have some weaknesses and design issues. The severity can be aggravated by how frequently updates are provided to resolve security and other problems as well as how tightly the browser has been tied into the operating system or used for other purposes such as installing software (primarily but not uniquely an issue with Internet Explorer).

Use the Most Recent Browser

Firefox 3.6 Download Now!

Whether you use Internet Explorer or Firefox or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:

Use Browsers with Better Encryption

If you can meet the license requirements for the 128-bit RSA encryption for Firefox (and other Mozilla-based) or Internet Explorer Web browsers, this will provide better security than the 56-bit international versions. Most financial institutions will insist on this level of encryption before you can use their on-line services.

Internet Explorer 6 Too Old

IE 6 Isn't Safe

Bring Down IE6

“Internet Explorer 6, which according to the W3school Web browser survey, is still used by over 14% of all Web users is the least safe browser out there. How bad is it? There's a group encouraging Web sites to tell you to dump IE 6. Heck, even Microsoft wants you to get rid of IE6 in favor of IE 7 or IE 8.”
ITworld

IE6 is Holding Back the Web

Internet Explorer 6 is now holding back development of the Web because it doesn't support many of the more recent advances in web design that would allow for a richer user experience. As well, developers are spending a disproportionate amount of time catering to the special requirements to make IE 6 display properly — particularly considering the diminishing user base.

Browser-Security Risks

Browser Security Updates

Information is provided on known weaknesses of various Web browsers in use. Sometimes you need to dig to find this information, but the competition may point out the flaws for you.

Other Security Information

You may also wish to correct known potential security risks associated with various browsers found by other parties.

Older Browser Issues

While many of the issues with older browsers are intricate enough to only interest Website designers and browser technicians, older browsers will often incorrectly display newer Websites, if they can display them at all.

Microsoft has finally released a standards-compliant version of Internet Explorer (version 8) which also has the ability to view older sites as intended using Compatibility View. These only work with sites built to look good in Internet Explorer at the expense of other browsers and I'd recommend leaving Compatibility View disabled if you have to assess the effectiveness of websites in order to fairly judge them.

Even if you are willing to put up with increasing difficulties with display issues, you cannot walk away from the security dangers of using older, unpatched browsers.

Assessing Your Risk

The following sites can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files if prompted to do so.

Return to top

Security Weaknesses in E-mail Programs

Outlook and Outlook Express Not Recommended

There are security issues with all e-mail programs but this is most pronounced in Outlook and Outlook Express because Microsoft products are so tightly tied together.

Outlook Express Obsolete

Because Outlook Express is pre-installed in Windows XP most users continue to use it without checking for any other options.

Outlook Express is a legacy of Internet Explorer 6 — Microsoft has ceased development and support. Windows Mail was included with Windows Vista, but there is no native e-mail program for Windows 7.

Outlook — It Depends

The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.

However, Outlook went back to using MS Word for HTML rendering in Office 2007 and this is no longer true for that version.The caveate about the interlinking of Microsoft products continues to be a security concern as a weakness in any one affects them all.

Recommended E-mail Software

Purchase PocoMail 4 - built from the ground up for security and features! Purchase Barca 2, PocoMail 4 with a calendar, diary and more!

Instead, download and use one of the alternative e-mail programs that meet your needs.

I strongly recommend PocoMail/Barca for the ease of use, especially considering that it was built from the ground up with security in mind or Thunderbird.

Barca is the same as PocoMail except that it adds a calendar and other features similar to Microsoft Outlook.

Spread Thunderbird

Thunderbird is a free e-mail program from Mozilla, the same folks that make the Firefox browser. This program would suit users not needing the extras provided in commercial products. If Outlook Express worked for you, then Thunderbird will too.

Reducing Your Risk If Using Outlook Express

If you continue to use Outlook (especially for the PIM features) or Outlook Express you should reduce your risk with the following changes to settings.

Windows Scripting Host enables Outlook Express to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for the majority. You can disable Windows Scripting Host by following the procedures offered on the F-Secure site. There are instructions for removing Windows Scripting Host on Windows 95, 98, 2000 and NT systems.

To turn off ActiveX in Outlook Express:

To turn off ActiveX in Outlook:

Return to top

More About Related Issues

Protecting Your Online Identity

The following related pages offer more information about protecting your online identity:

Securing Your Computer

The following related pages offer more information about securing your computer:

Return to top

www.RussHarvey.bc.ca/resources/websecurity.html
Updated: July 23, 2010