Browser Security  

Should Secure The Browser ?browser security

In today’s cyber world there is a huge dependency on Internet for performing most of our day-to-day activities which include social engineering, exchange of emails for communication of information, online financial/business transaction,etc. To use Internet  for all these purposes we use browser which acts as a window to internet, so there is a need to secure the browser.

Here comes a point of believe and blame.
While one believes a website and perform all their important activities on the site, if something goes wrong, immediately the same website owner is blamed for the loss. In contradiction to this, the website owners have chances to deny his website issues and blame the end user claiming that, the end user have not secured his browser or not taken enough precautionary measures while performing online activity and thus it’s the end user fault and not the website fault. Whereas, the problem is on both sides.

The Terminology PICNIC can be used to elaborate this situation.


PICNIC => Problem In Chair Not In Computer  <--> Problem In Computer Not In Chair

Where Chair depicts the end user who is using the web application through his browser and Computer depicts the Actual Web Application/website accessed by end user.

As an example, let us consider the most famous Tabnapping Attack. It’s a way of inserting invisible iframes into the browser tabs which are left idle. IFrame (Inline Frames) insertion is a procedure of including external objects like webpages, JavaScript etc into the webpage.

While browsing, everyone have a common notion of opening multiple browsers/tabs and do many things in parallel. While browsing with multiple tabs/browser open, there could be a situation that one or two tabs are left idle, and when the user is back to this tab which is left idle and start doing his activities like click on links or entering some text without refreshing the page, the site does not respond to his clicks or keying, after trying twice or thrice, he/she would reload the webpage, try to click or enter text and then the site starts responding, thus the user continues the job as usual. Within this time span, the users clicks or input done earlier before reloading the page were hit by the invisible iframe which was inserted into the webpage without the user’s knowledge. This iframe in turn could have some malicious code running which can hack browser cookies, act as keylogger etc. Thus the user credentials or other details are hacked.

In this attack should we think that it’s the problem of the End user (Chair) who accessed a website without reloading, OR it’s the problem with the application (Computer) which allowed hidden iframe insertion into it or doesn’t reload itself periodically? Where does the problem exist…?

Ofcourse,  it’s the  “Problem In Chair & In Computer” !
Both have their own misbehaviour.

Let’s understand the Browser security from both the Ends of the Internet communication.
Firstly, the Website which is offering services to end users are to be built securely. In the early days organizations performed site’s functionality and performance testing and get certified, later with the importance of security, people started concentrating on security aspects of the application also and thus performing security testing as well, so that people can safely use the services offered by their website.

But are these security checks done frequently or are they repeated when any small new module or feature added to the website?? Are they checking about, how is their application behaving at client side, in various browsers? Even If the client ignores security aspects at his browser does your application behave securely?

These points are usually ignored as they are time consuming and effortful jobs, wherein these points play a major role for organizational security and providing security to end users data.

The developer has to develop the web application by considering all the above points and perform frequent security checks and web administrator has to take care about its secure deployment. Secure deployment is something related to the environment where and how the application is deployed, which is apart from general application security. There are many secure configurations which are to be enabled within the webserver to stop various client based attacks. This is usually done by setting some special non-standard HTTP Response Headers like X-Frame-Options, X-XSS-Protection and by using cookies like HTTPOnly, Secure Cookie etc.  Following is brief about them.

X-Frame-Options
Clickjacking protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch
X-XSS-Protection
Cross-site scripting (XSS) filter
X-Content-Type-Options
The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions

These HTTP Response Headers saves the application to get affected from some browser based attacks and thus protects the client/end user information keeping their trust intact.

Coming to the other side of the Internet Communication,  An Internet User.

As an Internet User, one has to definitely be aware of various internet risks and safe browsing techniques. The Browser which is the base application to access Internet has to be configured securely by enabling all available security features and follow safe behaviour while browsing. Having a blind believe on the organization or the website is not a good practice as once lost is lost. Being aware of the things before something goes wrong is always a good sign. As our elders say, Prevention is better than cure. It applies everywhere.

By assuring yourself that you follow the following points, Internet facilities can be utilized safely and securely.

  • Set your browser to delete cookies on closing the browser.
  • Before doing online transactions, make sure to close all the open browsers, tabs and applications. Freshly open a new browser window and start doing online transactions.
  •  Refresh your browser/tab before performing any activity when left it ideal for some time
  • Disable pop-ups.
  • Never select Remember Password option in your browser.
  • Enable automatic updates for your browser.
  •  Do not click on advertisements which open up in new small window. Close them immediately on clicking the (X) mark in top right of the browser.
  • Do not click on links or move your mouse over links which you are not aware of.
  • Accessing a website by entering its URL in the address bar is the best way to avoid phishing attacks.
  •  Never access Bank websites or any other important website through Search engine generated results. If needed, cross verify its URL before clicking on them by seeing at the bottom of the search result text.

Thus Browser Security is to be dealt with Application and the End User. It’s not a one man job to walk away smoothly across the Internet.


Secure your Browser!
Secure your Website!
Benefit out of the Internet!
Happy Browsing...

Ref: www.wikipedia.org

Address

Centre for Development of Advanced Computing, (C-DAC)
Plot No. 6 & 7, Hardware Park, Sy No. 1/1, Srisailam Highway, Pahadi Shareef Via Keshavagiri (Post) Hyderabad - 500005

Phone

Phone: 040-23737124/25
Mobile: 040-23737124/25

TollFree

1800 425 6235

Email Address

isea[at]cdac[dot]in