Browser Weaknesses | Email Weaknesses | Why It Matters
All trademarks, company names or logos are the property of their respective owners.
Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web you are exposed to scripts and more that can be dangerous (intentionally or otherwise).
Today's websites bring together information from many sources — most no longer controlled by the site owners. This increases the vulnerability to site visitors.
Choose a browser based upon its security rather than its popularity or its being the default included on your computer. Be sure to update it regularly. I recommend Firefox because Mozilla is committed to protecting your privacy
Not only do older browsers contain known vulnerabilities, but they are not capable of delivering an optimal experience on modern websites.
Do NOT use Internet Explorer. It is obsolete and unsafe to use.
Too many programs — including tax software — call IE directly rather than the default browser chosen by the user. Malware, spyware and viruses do the same, making it a major gateway to infection.
Web browsers all have some weaknesses and design issues.
The severity can be aggravated by how frequently security updates are provided as well as how tightly the browser has been tied into the operating system.
Most studies are commissioned by the browser developer using tests that focus on the areas where the developer's product will perform the best.
NSS Labs research showed that no single browser uniformly protected users against the majority of security threats and privacy risks. If no single browser is bulletproof, the next best thing is to make your favorite browser is as secure as possible.
— Check Point blog
No matter which browser you choose, you'll want to ensure that you've optimally secured the browser. Here's five suggestions:
Infected websites, misleading downloads and potentially unwanted programs (PUPs) are primary sources of infection.
Whether you use Firefox or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:
In 2011, Firefox began releasing a new major version of Firefox approximately every six weeks.
While this rapid deployment has been annoying (particularly for Firefox extension developers) it has many benefits:
Chrome and Microsoft Edge automatically update their browsers using methods that may be less noticeable than Firefox's. Major updates are generally released annually.
Most modern browser check for updates when you inquire about which version they are running or provide a “check for updates” option:
Newer browsers also have 128-bit RSA encryption which provides better security than what was available in legacy browsers. Most financial institutions will insist on this level of encryption before you can use their on-line services.
However, better encryption won't help if you use poor password hygiene and lack security software with multifaceted and realtime protection.
HTTPS is a secure version of the HTTP protocol that uses the SSL/TLS protocol for encryption and authentication.
The principal motivations for HTTPS are authentication of the accessed website, and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks, and the bidirectional encryption of communications between a client and server protects the communications against eavesdropping and tampering.
— Wikipedia
The Electronic Freedom Foundation developed HTTPS Everywhere to check for the availability of an HTTPS server where it is available.
Using HTTPS is strongly recommended, particularly where you're sharing public WiFi like in a coffee shop and wherever you're exchanging private information.
While HTTPS is secure, those running corporate and educational institutions can spoof the authentic sites' security certificate.
The presence of the unbroken key or the lock icon on the web browser once meant that the connection between the user and the remote web server was authenticated, secured, encrypted…and not susceptible to any form of eavesdropping by any third party. Unfortunately, that is no longer always true.Private institutions—corporations, schools, and other organizations—have responded to this “loss of visibility” into every detail of their employees' and students' Internet usage by deploying new technology known as “HTTPS Proxy Appliances.” These devices circumvent our most basic assumption and guarantee of Internet browser privacy and security.
— Gibson Research Corporation
Find out if your employer, school, or Internet provider eavesdropping on your secure connections using a fingerprinting comparison of the authentic and actual security certificates.
For website owners to provide HTTPS access they need to purchase a security certificate, an added expense that only major sites have been able to afford until recently.
Many sites use external resources like PayPal to process credit card information to avoid the need for more robust security on their own servers.
The cost of the security certificates has dropped dramatically in recent years and Google encouraged the widespread use of HTTPS by downgrading HTTP sites in search results.
The various web browsers in use all have known weaknesses. Check these sites for news about security vulnerabilities and privacy issues:
Your browser's prompt to save passwords is convenient but the process used is unsecure and should be replaced with a secure password manager.
I recommend Bitwarden.
JavaScript is used by many websites to improve the user experience by making them more interactive. Most common are log-in and information-gathering forms.
Unfortunately, poor security leaves the end-user and their private data vulnerable to exploitation.
The interactive forms found on 92% of the analyzed websites expose data to on average 17 different domains. This data includes personally identifiable information (PII), login credentials, card transactions, and medical records.
— Tech Republic
Firefox, like many modern browsers, has replaced vulnerable plugins that can slow or crash your browser with new features built into HTML5.
Qualys BrowserCheck will perform a security analysis of your browsers and plugins. It can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files even if prompted to do so.
While many of the issues with older browsers only interest website designers and browser technicians, older browsers will often incorrectly display newer websites, if they can display them at all.
Microsoft's Internet Explorer is retained because it still has the ability to view older sites as intended using Compatibility View. However, even Microsoft no longer classifies Internet Explorer as a modern (or safe) browser.
Even if you are willing to put up with increasing difficulties with display issues, you cannot continue to ignore the security risks of using older, unpatched browsers.
Don't use obsolete (unsupported) email programs. New vulnerabilities remain unpatched in unsupported software.
To avoid security issues with email software, download and use one of my recommended email programs.
Alternatively, move to webmail with the following caveats:
There are security issues with all email programs but this is most pronounced in Outlook because Microsoft products are so tightly tied together.
The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.
Starting with Office 2007, Outlook went back to using MS Word for HTML rendering (what allows for bold, italics and coloured text) to address this issue.
However, the interlinking of Microsoft products continues to be a security concern as a weakness in any one component affects them all, including Windows itself.
If you continue to use Outlook (especially for the PIM features) you should reduce your risk by ensuring you're running a version that is currently supported by Microsoft with updates and patches.
Windows Scripting Host enables Outlook to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for them. You can safely disable Windows Scripting Host.
Using the HTTPS protocol is strongly recommended for your webmail service. It is critical when you're sharing public WiFi like in a coffee shop.
A VPN is strongly recommended when you don't control the network you're using.
Be sure to use unique secure passwords for your Webmail account and enable multifactor authentication. Webmail accounts are accessible to anyone with your email address plus password.
The sorts of questions used for recovery of lost passwords are often posted by their users on social media sites without the owner realizing the risks to both identity theft and to the methods commonly used to recover lost passwords.
Where possible, choose your own security questions so anyone attempting to hack your account by requesting a password reset will have a harder time obtaining the answers.
In the last 20 years websites have moved from static information sites to interactive and dynamic sites, many of which import content directly from external sources.
Your computers, mobile phones, tablets and other connected devices are an integral part of the Internet whenever they are powered on.
The surveillance economy has replaced traditional markets. Data collection is widespread and your personal profile is the currency.
Scripts and analytics abound.
The old days of embedded ads is gone forever.
Sites submit whatever data they have on you to numerous third-party advertisers to bid in realtime for targeted ads. This is why they whine about ad blockers.
Few of these third-party sites have a privacy policy; many are more interested in collecting your profile than bidding for the advertising space.
What's worse, Google and Facebook control some 90% of the advertising revenue and the rest scramble for the crumbs while blaming ad blockers for reduced revenues.
There are serious flaws in some browsers, which is further aggravated by security holes in Windows and serious flaws in some websites.
Governments and hackers alike take advantage of zero-day exploits.
Many of these go unreported and remain unfixed so these malicious actors can continue to use them.
In today's always-connected world, you need excellent realtime security software combined with a best-effort to remove and patch vulnerabilities via software updates.
Web browsers cannot protect you adequately unless you learn how to optimize their security settings and beef up security where needed.
Your choice of browser matters.
Choose a browser for privacy and security, not because it is already on your device or because it is popular. Google Chrome has replaced Internet Explorer as the default browser for many, exposing them to extensive data tracking and profiling.
Whichever browser you choose, follow these security principles:
Newer hardware supports better encryption and security features such as biometric login.
The largest vulnerability remains the end user who refuses to use strong passwords, isn't vigilant of phishing attempts and is careless with security protocols.
You must discipline yourself to be careful when choosing your downloads, what links you click on as well as what you share on social media and elsewhere.
To remain safe, learn more about preventing unauthorized access and security strategies.
On this site:
Return to top
RussHarvey.bc.ca/resources/websecurity.html
Updated: August 21, 2024