We all love our browsers and the things they are able to do for
us. For the general user it allows them to check facebook, google
for something, and the list goes on and on. A lot of these people
will also have little browser add-ons that they use to enhance their
internet experience. While this is great and all there are still
issues that need addressed from a security standpoint. Security
professions are having to deal with new types of attacks that are
very different from your standard username and password attacks.
Everything from the secure connection to the server, activex, buffer
overflows, cgi scripting, cookies, cross-site scripting, input
validation, java applets, javascript, and popups makes even the most
security aware person check their knowledge twice about just how
secure they are when browsing the internet.
Just how safe am I and are these issues really relevant to me?
Being secure in an unsecure environment is the end goal here. One
of the first ways to be able to do is the use of secure socket layer
and transport layer security. This is most interesting to me as you
will still see a lot of sites that just don't want to use https for
their clients. The way I look at it is that if you are not looking
out for the protection of my data why would I do business with you?
Even for your internal network it is important to implement https.
Programs are available to listen to the network and then give you a
list of usernames and passwords that it finds during the course of
just sitting there. Yes switched networks help to mitigate but it is
not an end-all solution. There are even browser extentions (as we
are on the subject) to check if a website has https functionality and
will switch you to their secure connection for you. Cost is always a
factor. Why pay for secure certificates for your internal network
when its just employees logging in? Credentials are still being sent
in the clear text is why. Recently I read a forum post where they
said 99% of their company had gone to wireless connectivity and they
were loving it. The security portion of my brain immediately put up
a red flag and worried very much for their company. Here is the deal
(and a topic for another discussion), wifi packets can still be
captured and decrypted in the future. So you may be secure right
now, tomorrow, or even next week but what if the encryption is broken
tomorrow? Your competitor or enemy could have been gathering packets
for this very moment to happen and now all your secrets are theirs
because they had been collecting packets for the last 6 months.
Anyway, moving on with browser add-ons...
Add-ons make for additional functionality in your browser that
give for a better user experience. Problem is, things like buffer
overflows and cgi scripts can cause havoc on systems that are not
hardened. Some user interface sites were never designed with much
security in mind as they were only supposed to be used by the
programmers and their co-workers. Fast forward a few years down the
road and now someone decided it would be good for the entire company
to use. Now you have an interface that could be subject to buffer
overflows due to a lack of input validation or cgi scripts that are
executing malicious code because they are setup to allow crazy
permissions.
I recently added an add-on for my browser to keep people from
tracking me. While not all done with cookies they are still a common
method for data miners to push advertisements on you. Same thing
here with cross-site scripting as a site you visit may choose to do a
little digging of their own to see what you are currently looking at
in other tabs. Taken one step further they could even use your
session to get into a site in the background that you don't even know
about.
Some add-ons are good and some can create a problem. Either way
it would be in your best interest to get some of these good ones so
that you can protect yourself from potential threats.
-- Joe McShinsky
Saturday, August 6, 2011
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment