Russ Harvey Consulting - Computer and Internet Services

Vulnerabilities in Internet Software

Browser Weaknesses | Email Weaknesses | Why It Matters

Vulnerabilities in Internet software.

Web Browser Weaknesses

Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web you are exposed to scripts and more that can be dangerous (intentionally or otherwise).

Today's websites bring together information from many sources which are often not controlled by the site owners. This increases the vulnerability to site visitors.

Internet Explorer Obsolete

Internet Explorer is an obsolete browser that is still present on Windows 10. The fact that Internet Explorer warns you about the risks of running content located on your computer will tell that can also be unsafe.

Too many programs — including tax software — call it directly (a major weakness in Windows) rather than requesting the default browser. Malware, spyware and viruses do the same, making it a major gateway to infection.

Use a Modern Browser

Choose a browser based upon its security rather than its popularity or its being the default included on your computer. Be sure to update it regularly. I recommend Firefox because Mozilla is committed to protecting your privacy

Not only do older browsers contain known vulnerabilities, but they are not capable of delivering an optimal experience on modern websites.

All Browsers Have Weaknesses

Web browsers all have some weaknesses and design issues. The severity can be aggravated by how frequently updates are provided to resolve security and other problems as well as how tightly the browser has been tied into the operating system.

Which Browser Is the Most Secure?

Most studies are commissioned by the browser developer using tests that focus on the areas where the developer's product will perform the best.

NSS Labs research showed that no single browser uniformly protected users against the majority of security threats and privacy risks. If no single browser is bulletproof, the next best thing is to make your favorite browser is as secure as possible. — ZoneAlarm Blog

No matter which browser you choose, you'll want to ensure that you've optimally secured the browser. Here's five suggestions:

  1. Configure your browser's security and privacy settings. See Securing Your Web Browser from U.S. Homeland Security and How to beef up your Chrome and Firefox security from CNET.
  2. Keep your browser updated. See browser downloads.
  3. Be aware of security alerts. Enter you're browser's name + “security” into Google Alerts to be notified of any emerging security issues.
  4. Be cautious when installing browser extensions.
  5. Plugins are vulnerable and being replaced with safer technologies.
  6. Ensure you have a current and effective security suite installed on your computer.

Infected websites, misleading downloads and potentially unwanted programs (PUPs) are primary sources of infection.

Update Your Browser

Whether you use Firefox or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:

  • They are more likely to have security concerns addressed.
  • Support for newer hardware and operating systems is usually only provided for current-level browsers.
  • The more recent a browser, the more likely it is that it will display recent websites as the designer intended.
  • Users are driving demand for newer features which is unlikely to be added to older versions.

Firefox Rapid Deployment

In 2011, Firefox began releasing a new major version of Firefox approximately every six weeks.

While this rapid deployment has been annoying (particularly for Firefox extension developers) it has many benefits:

  • RapidRelease has allowed for the integration new security and technology improvements without an all-or-nothing risk at any stage.
  • Nightly builds allow developers to experiment with features without endangering the end user's experience.
  • Problems that couldn't be fixed with a minor release could be fixed within six weeks rather than the year or longer typical for other browsers.

Chrome and Microsoft Edge automatically update their browsers using methods that may be less noticeable than Firefox's. Major updates are generally released annually.

Better Encryption

Newer browsers also have 128-bit RSA encryption which provides better security than what was available in legacy browsers. Most financial institutions will insist on this level of encryption before you can use their on-line services.

However, better encryption won't help if you use poor password hygiene without security software with multifaceted and realtime protection.

HTTPS Secure Protocol

The HTTPS (notice the S) which uses the SSL protocol is safer than unsecured HTTP:

SSL, or Secure Sockets Layer, is the predecessor to TLS, or Transport Layer Security. SSL has three versions, which are all considered insecure due to flaws in their design. TLS was created to address the weaknesses in the SSL protocol.

It is worth noting that SSL is still in use today — in spite of it's inherent weaknesses. The support for SSL v2.0/3.0 in a servers SSL/TLS stack is intended for backwards compatibility. Of course this support was the target of the POODLE attack. — DZone

HTTPS Everywhere

Many privacy advocates have lobbied for the HTTPS protocol for some time now. The Electronic Freedom Foundation developed HTTPS Everywhere to check for the availability of an HTTPS server where it is available.

Using HTTPS is strongly recommended, particularly where you're sharing public WiFi like in a coffee shop and wherever you're exchanging private information.

HTTPS Can Be Spoofed

While HTTPS is secure, those running corporate and educational institutions can spoof the authentic sites' security certificate.

The presence of the unbroken key or the lock icon on the web browser once meant that the connection between the user and the remote web server was authenticated, secured, encrypted…and not susceptible to any form of eavesdropping by any third party. Unfortunately, that is no longer always true.


Private institutions—corporations, schools, and other organizations—have responded to this “loss of visibility” into every detail of their employees' and students' Internet usage by deploying new technology known as “HTTPS Proxy Appliances.” These devices circumvent our most basic assumption and guarantee of Internet browser privacy and security. — Gibson Research Corporation

Find out if your employer, school, or Internet provider eavesdropping on your secure connections using a fingerprinting comparison of the authentic and actual security certificates.

Providing HTTPS Access

For website owners to provide HTTPS access they need to purchase a security certificate, an added expense that only major sites have been able to afford.

Many sites use external resources like PayPal to process credit card information for exactly this reason.

Google is now encouraging the widespread use of HTTPS and the cost of the security certificates has dropped dramatically in recent years.

Browser Security Risks

Information is provided on known weaknesses of various web browsers in use. Sometimes you need to dig to find this information, but the competition may point out the flaws for you. Check these sites for news about security vulnerabilities and privacy issues:

Browsers Store Passwords Insecurely

Your browser's prompt to save passwords is convenient but the process used is unsecure and should be replaced with a secure password manager.

I recommend LastPass. The basic service is free but the premium version offers more features.

JavaScript Issues

JavaScript is used by many websites to improve the user experience by making them more interactive. Most common are log-in and information-gathering forms.

Unfortunately, poor security leaves the end-user and their private data vulnerable to exploitation.

The interactive forms found on 92% of the analyzed websites expose data to on average 17 different domains. This data includes personally identifiable information (PII), login credentials, card transactions, and medical records. — Tech Republic

Other Security Information

Firefox, like many modern browsers, is in the process of replacing vulnerable plugins that can slow or crash your browser with new features built into HTML5. Support for Flash, Java and similar technologies be mostly gone by the end of 2020.

Qualys BrowserCheck will perform a security analysis of your browsers and plugins. It can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files even if prompted to do so.

Older Browsers

While many of the issues with older browsers only interest website designers and browser technicians, older browsers will often incorrectly display newer websites, if they can display them at all.

Microsoft's Internet Explorer is retained because it still has the ability to view older sites as intended using Compatibility View. However, even Microsoft no longer classifies Internet Explorer as a modern (or safe) browser.

Even if you are willing to put up with increasing difficulties with display issues, you cannot continue to ignore the security risks of using older, unpatched browsers.

Return to top

Email Weaknesses

Recommended Email Software

Don't use obsolete (unsupported) email programs. Security patches are not being generated for new vulnerabilities.

To avoid security issues with email software, download and use one of my recommended email programs.

Alternatively, move to webmail with the following caveats:

  • You need to use a long and strong password because they are always accessible world-wide.
  • Realize that you are the product when using a free webmail program (the host is usually collecting a profile to sell to advertisers).
  • Because your mail is not on your computer, you have no control over where it is stored and you may lose access to it at any time.
  • The “cloud” is not some island in the sky. Many large servers have been hacked and they seldom use security as strong as they do for their own content.

Outlook Problematic

There are security issues with all email programs but this is most pronounced in Outlook because Microsoft products are so tightly tied together.

Older Versions Less Safe

The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.

Starting with Office 2007, Outlook went back to using MS Word for HTML rendering (what allows for bold, italics and coloured text) to address this issue.

However, the interlinking of Microsoft products continues to be a security concern as a weakness in any one component affects them all, including Windows itself.

Reducing Your Risk

If you continue to use Outlook (especially for the PIM features) you should reduce your risk by ensuring you're running a version that is currently supported by Microsoft with updates and patches.

Support for Office 2007 and earlier has expired. Office 2010 loses support on October 10, 2020; Office 2013 on April 11, 2023.

Disable Windows Scripting Host

Windows Scripting Host enables Outlook to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for them. You can safely disable Windows Scripting Host.

Webmail Security

Connect Using HTTPS

Using the HTTPS protocol is strongly recommended for your webmail service, particularly where you're sharing public WiFi like in a coffee shop.

A VPN is strongly recommended whenever you don't control the network you're using.

Use Secure Passwords

If you choose webmail, be sure to use unique secure passwords. Webmail accounts are accessible to anyone with your email address plus password.

Choose Your Own Recovery Questions

The sorts of questions used for recovery of lost passwords are often posted by their users on Facebook and other social media sites without the owner realizing the risks to both identity theft and to the methods commonly used to recover lost passwords.

Where possible, choose your own security questions so anyone attempting to hack your account by requesting a password reset will have a harder time obtaining the answers.


Why It Matters

In the last 20 years websites have moved from static information sites to interactive and dynamic sites, many of which import content directly from external sources.

You're Being Tracked

Scripts and analytics abound.

Your profile is shared with realtime advertisers (few of which have a privacy policy) for bidding.

The surveillance economy has replaced traditional markets. Data collection is widespread and your personal profile is the currency.

Vulnerabilities Abound

There are serious flaws in some browsers, which is further aggravated by security holes in Windows and serious flaws in some websites.

Governments and hackers alike take advantage of zero-day exploits.

Many of these go unreported and remain unfixed so these actors can continue to take advantage of them.

Security Software

In today's always-connected world, you need excellent realtime security software with a best-effort to remove and patch vulnerabilities.

Security Settings

Web browsers cannot protect you adequately unless you learn how to optimize their security settings and beef up security where needed.

Your choice of browser matters, but you must also follow these security principles:

Newer hardware supports better encryption and security features such as biometric login.

User Error

The largest vulnerability remains the end user who refuses to use strong passwords, be vigilant of phishing attempts and is careless with security protocols.

You must also discipline yourself to be careful when choosing your downloads, what you click on as well as what you share on social media and elsewhere.

Learn more about preventing unauthorized access and security strategies to keep your safe.

Related Resources

Related resources on this site:

or check the resources index.

If these pages helped you,
buy me a coffee!


Return to top
Updated: March 17, 2021