Home

 03 Browser Security

Browser Security

What is Web Browser ?

Web browser is used to access the information and resources on the World Wide Web. It is a software application used to trace and display the web pages .The main purpose of a web browser is to bring the information resources to the user. An information resource is identified by a Uniform Resource Identifier/Locator (URI/URL) and may be a web page, image, video or other piece of content. Web browsers are used not only on the personal computers, laptops but are also used on mobile phones to access the information.

Uniform Resource Locator (URL)

The URL looks like http://www.infosecawareness.in

Each URL is divided into different sections as shown below :

http:// In short, http means the hypertext transfer protocol and the file is a web page and every time you don’t needed to type the http, it is automatically inserted by the browser.

www– notation used for World Wide Web infosecawareness – web site name

.in – It is one of the domains names, which is basically a country name.

Other domain names are .com (commercial organization), .net (network domain) etc.

(The organization address and location of the organization address are known as the domain name).

co.in –suffix or global domain name shows the type of organization address and the origin of the country like the suffix co.in indicates a company in India.

Generally a web browser connects to the web server and retrieves the information. Each web server contains the IP address, and once you are connected to the web server by using http, it reads the hyper text mark-up language (HTML) which is a language used to create document on World Wide Web and the same document is displayed in the web browser.

In short, a browser is an application that provides a way to look at and interact with all the information on the World Wide Web.

Types of Web Browsers :

There are different types of web browsers available with different features.

Some of the popular Web Browsers are :

Internet Explorer:
It is known as Microsoft Internet Explorer in short IE. It comes pre-installed on all Windows computers. It is one of the most popular web browsers and latest edition of IE 11 is available on the Internet. It can be installed with the following: windows operating system like Windows 7, Windows 8, Windows Vista and Windows Server’s.

Mozilla Firefox:
It is a free, open source web browser developed by Mozilla Corporation. It has been said as being stable and safer, less prone to security breaches, viruses, and malware than Microsoft Internet Explorer. The browser can be used in different operating systems like Windows, Linux and Apple MAC operating system etc.

Google Chrome:
It is a web browser designed for windows operating system. This browser works on windows vista, windows 7 and windows 8. The chrome can be downloaded and installed for OS X or Linux operating system

Safari:
It is web browser developed by Apple Corporation. It is a default web browser of MAC OS X. This browser also works on all windows flavours. Apple maintains a plug-in blacklist that it can remotely update to prevent potentially dangerous or vulnerable plug-ins from running.

Why to secure your Web Browser ?

Today, web browsers such as Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari are installed on almost all computers. And it is easy to notice the increasing threat coming from online criminals that try to take advantage of web browsers and their vulner- abilities. Because web browsers are used so frequently, it is very important to configure them securely. Often, the web browser that comes with an operating system in a default settings not set up in a secure configuration.

Securing browser is the first step that need to be taken in order to assure secure online protection. There is an increase in number of threats taking advantage of vulnerabilities present in the web browsers through use of malicious websites. This problem is made worse by a number of factors, including the following:

  • Many computer users are not aware of the click on the web links.
  •  Software and third party software packages installed combined increases the number of vulnerabilities
  •  Many websites require that users enable features or install more software, third- party software which doesn’t get security updates putting the computer at additional risk.
  •  Many users do not know how to configure their web browsers securely.

Web Browser Risks and Case Studies

Browsers are used to access various web pages to have a complete online experience. The browsers are enabled by default with some of the features to improve our online sessions, but at the same time these options create a big security risk for our operating systems and databases. The online criminals use available vulnerabilities in our browser and in its additional features to control operating systems, retrieve private data, damage important system files or install data stealing software.
Some of the features are important for browser’s functionality and the user should understand their importance and should enable or disable for securing the browser.

Browser Cookies:

A cookie is used to identify a website user. A cookie is a small piece of text sent to a browser by a website accessed through the browser. It contains information about that visit like remembering the website visited preferred language and other settings. The browser stores this data and uses it in accessing the features of the website or the next time the same site is visited to make the access more personalized. If a website uses cookies for authentication, then an attacker may be able to obtain unauthorized access to that site by obtaining the cookie.

Case 1:
Shania visited a movie website and indicated that she is interested in comedies. The cookies sent by the website remembered her choice and when she visited the same website next time, she sees comedies are displayed on the website.

Case 2:
When users log in to a Web site, they enter their username and password into a login page and, if they are authenticated, a cookie is saved that allows the Web site to know the users are already logged in as they navigate around the site. This permits them access to any functionality that may be available only to logged-in users, probably the primary use of cookies at this time.

Case 3:
Online shopping carts also use cookies. As you browse for DVDs on that movie shopping site, for instance, you may notice that you can add them to your shopping cart without logging in. Your shopping cart doesn’t “forget” the DVDs, even as you hop around from page to page on the shopping site, because they’re preserved through browser cookies. Cookies can be used in online advertising as well, to remember your interests and show you related ads as you surf the web.

Pop-ups:

Pop upsare a small window pane that opens automatically on your browser. Generally, they show advertising, which can be from legitimate company, but also may be scams or dangerous software. It works when certain websites are opened. Pop-up ads can be part of a phishing scam designed to trap you into revealing your personal or financial information as you visit web sites. Pop-ups mislead you to click the buttons on the pop-up window. But sometimes advertisers create a pop-up window that look similar to a close or cancel option so whenever user choose such options the button performs an unexpected action like opening another pop-up window, performing unauthorized commands on your system.
Not all pop-ups are bad some web sites use pop-up windows for particular tasks. You might have to view the window in order to complete that task.

Case 4:
Sarah was listening music online from This email address is being protected from spambots. You need JavaScript enabled to view it., after some couple of hours later I came across a Pop-up which tells to download the latest songs with only one click. I filled the form displayed in my browser download section. After a month I saw my credit card bill information which is showing some unauthorized charges. I was very upset and surprised, called repeatedly to that particular website where I have downloaded the songs but it was of no use.

Scripts:

Scripts are used to create websites more interactive. It is most commonly used as part of web browsers, whose implementations allow client-side scripts to interact with the user, control the browser, communicate asynchronously, and alter the document content that is displayed. There are specifications in the JavaScript standard that limit certain features such as accessing local files.
The same script can be used for inclusion of malicious code which takes control of the web browser there in by allowing to access the files of the system. It may cause damage to the system by accessing the vulnerabilities in the browser.

Case 5:
Chintu used to visit at Internet for regular updates for his school work and playing games and listening music. When playing the games I found some news popping about Lady Gaga found dead. When I click on the BBC site a survey dialog is pop out and prompt user to complete a survey form. In the respective survey form it was written “If you are true fan on Lady Gaga” Click for Like Button. As soon as survey completed I returned back to my account homepage and posted the same link for the news to be known for my family and friends.

Plug-ins:

Plug ins is the in-built applications for use in the web browser and Netscape web browser had developed the NPAPI standard for developing plug-ins. Later this standard is used by many web browsers. Plug-ins are same to ActiveX controls but cannot be executed outside of a web browser. Adobe Flash is an example of an application that is available as a plug-in inside the web browser.

Case 6:
For example, users may download and install a plug-in like Adobe Flash Player to view a web page which contains a video or an interactive game. But the plugin may be installed with a key logger which captures all the key strokes of the user typing in the browser and send it to the attacker.

Browser Extensions let you add new features to your browser exactly like extending your browser for customising your browser with the features that are mainly important to you. In the other words you can say adding new superpowers to the browser. For example, you may install a currency converter extension that shows up as a new key next to your browser’s address bar. Click the button and it converts all the prices on your present web page into any currency that you give.

Adding more code to the browser also added to security concerns, as it gave attackers more chances to exploit the browser. Because the code was sometimes hidden, extensions were notorious for causing browser crashes as well.

How to secure your Web Browser ?

By default web browser comes with an operating system and it is setup with default configuration which doesn’t have all secure features enabled in it. Not securing web browser leads to problems caused by anything like spyware, malware, viruses, worms etc being installed in to a computer and this may cause intruders to take control over your computer.

There is a raise of threat from software attacks which may take advantage of vulnerable web browsers. Some software of a web browser like java script, Active X etc may also be the cause for the vulnerabilities in the computer system. So it is important to enable security features in your web browser to minimize the risk to the computer.

Security zone

Security zone in an Internet web browser lets you to secure the browser and offer to trust the people, companies on the Internet. This helps to decide and adds which sites to be allowed to run the application, scripts, add-ons, install plug-in on your computer
.Security zone also contains other features like adding address of web sites under restricted sites this feature is available in Internet explorer and block the untrusted sites or attack sites this feature is available in Firefox, these vary with different web browser.

Trusted site

Internet is a network of people, with all kinds of stuff for different kinds of people through various websites.
Generally you don’t trust everyone around you so why to trust all the web sites? Also why should you allow everyone to come into your computer without your authorization? Using the feature of trusted sites in your web browser will help you to decide whom to trust.

Internet Explorer

The following are the some of the features and their settings of Internet explorer

  • In order to change settings for Internet Explorer, select Tools.
  •  From the tools menu of Internet explorer select the Internet options and then click on the security tab, check the current security settings and change the settings of security zone as necessary.
  •  To change the security setting under security level move the slider up to increase the security level and down to, medium, and low levels.
  •  For more settings and controls click on the custom level and then select the options you want From the tools menu option if required there is an option for: Delete browsing history which deletes all the cookies, temp files, history, active x filtering and more as shown in the figure
  •  To add or remove trusted or restricted web sites ,click on the sites option and then click on the add or remove button and enter your list of sites for the selected zone
  •  The Privacy button contains settings for cookies.Cookies are text files placed on your computer browser by various sites that you visit either directly or indirectly through third party web sites.
  •  From the Advanced button and select override automatic cookie handling. Then select Prompt for both first and third-party cookies. This will prompt you each time a site tries to place a cookie on your machine.
  •  From the menu select tools and choose the smart screen filter and click on the turn on smart screen filter and enable the smart screen filter which is recommended, this option is used to “Avoid phishing scams and malware”
  •  From the tools menu select the option in private filtering settings, this option is used for “Browse privately” which doesn’t store any browsing history
  •  In the tools menu there is an option called tracking protection which protect your information like if some websites try to track your visits to those websites or any of your personal information such information would be stopped. This feature works based on the add-ons we install.
  •  Enable the protected mode by this option all the web sites are opened in protected mode.
  •  Select the advanced tab and select the options as you want like enable “ Use SSL 3.0, Use TLS 1.0 ”

 Mozilla Firefox

The following are the features and their setting of Mozilla Firefox web browser.

  • Security settings in a Firefox control the level of examination you’d like Firefox to give a site and enter exceptions—sites that don’t need the third degree.
  •  Customize settings for passwords, cookies, loading images and installing add-ons for a fully empowered Web experience as shown below
  •  From the tools menu of the Firefox browser select the options and then click on the security tab
  •  Under security tab enable the options like warn me when sites try to install the add-ons in and to add or remove the sites click on the exception tab and add or remove the sites you want
  •  Enable the option tell me if the site I’m visiting is a suspected attack site
  •  Enable the option tell me if the site I am using is a suspected forgery Firefox gets a fresh update of web forgery sites 48 times in a day, so if you try to visit a fraudulent site that’s pretending to be a site you trust a browser prompts you message and will stop you Disable the option remember passwords for sites Firefox integrated the feature into your surfing experience. Choose to “remember” site passwords without intrusive pop-ups.
  •  Select the advanced tab and enable the encryption tab in order to have a secure data transfer and use SSL 3.0
  •  The other feature is automated updates this lets us to find the security issues and fix updates and make the safe surfing and receive automatic notification or wait until you are ready
  •  One more feature is tracking which is under options privacy it stops the activities you do from the browser and we can choose the option do not tell sites anything about my tracking preferences which will not track and don’t share the information to other websites.

Google Chrome

From the setting menu select the Incognito window a new window appears and pages you view from this window won’t appear in your web browser history or search history and they won’t leave any traces like cookies after you close the incognito window any files you download or bookmarks will be preserved.

Chrome there is a new feature that it has an own Task Manager that shows you how much memory and CPU usage each tab and plug-in is using.

The safe browsing feature in the Google Chrome displays the warning if the web address listed in the certificate doesn't match the address of the website.The following are the steps for a safe browsing setting in Google Chrome :

  • From the settings tab select the options and click on the under the hood
  •  Enable the option use a suggestion service to help complete searches and URLS typed in the address bar.
  •  Enable DNS pre-fetching to improve page load performance
  •  Enable the phishing and malware protection
  •  Under cookies select the “Restrict how third party cookies can be used” only first-party cookie information is sent to the website.
  •  Under minor tweaks enable the enable the never save passwords
  •  Under computer wide SSL settings enable the option use SSL 2.0

Apple safari:

The following are the features of Apple safari secure web browser

Phishing Protection
Safari protects you from fraudulent Internet sites. When you visit a suspicious site, Safari warns you about its suspect nature and prevents the page from loading.

Malware Protection
Safari recognizes websites that harbour malware before you visit them. If Safari identifies a dangerous page, it warns you about the suspect nature of the site.

Antivirus Integration
Thanks to support for Windows Attachment Monitor, Safari notifies your antivirus software whenever you download a file, image, application, or other item. This al- lows the antivirus software to scan each download for viruses and malware.

Secure Encryption
To prevent eavesdropping, forgery, and digital tampering, Safari uses encryption technology to secure your web communications. Safari supports the very latest se- curity standards, including SSL versions 2 and 3, Transport Layer Security (TLS), 40- and 128-bit SSL encryption, and signed Java applications.

Automatic Updates
Get quick, easy access to the latest security updates. Safari takes advantage of Apple Software Update, which checks for the latest versions of Safari when you’re on the Internet.

Pop-Up Blocking
By default, Safari intelligently blocks all unprompted pop-up and pop-under windows, so you can avoid distracting advertisements while you browse.

Cookie Blocking
Some companies track the cookies generated by the websites you visit, so they can gather and sell information about your web activity. Safari is the first browser that blocks these tracking cookies by default, better protecting your privacy. Safari ac- cepts cookies only from your current domain.

Security Extensions in Browsers :

AdBlock Plus (Firefox/Chrome)

21 AdBlock, as its name would imply, blocks certain scripts serving advertisements on a website. As we've mentioned before,you can tweak ABP for added security benefit by using a "malicious ad" blocklist. You can, of course, whitelist sites you want to support (ahem), but ABP also provides the more obvious aesthetic benefit of a web less cluttered with ads.

HTTPS Everywhere (Firefox)

HTTPS Everywhere from the Electronic Freedom Foundation will help you to secure the connection between your browser and the servers it is connecting to. It helps to encrypt your connection when possible, even when the default setting on the web site does not offer the added security. A good example is Twitter. The username and password input boxes are encrypted, but after that all text coming to or from the server is sent in the clear. (Very recently, Facebook added an option to always turn on HTTPS. Here's how to do that.) HTTPS Everywhere even helps to protect against hacking tools such as Firesheep.

LastPass (All Platforms)

LastPass secures another vector that hackers can use to try to gain access to your personal information - your password. When you use the LastPass browser plugin, it stores your password, encrypted, for you and also allows you to easily generate a complicated and hard-to-crack password that is unique to a site. LastPass has plug-in available for every browser under the sun. If you're just getting started with LastPass, here's our introduction to LastPass, our intermediate guide, and a guide to auditing and
updating your passwords with Last Pass.

NoScript (Firefox)

NoScript is a Firefox-only plugin that does one thing and does one thing well—it blocks scripts such as JavaScript, Flash, Quicktime, and more from loading in your browser window. (Chrome users may want to check out the similar Chrome extension, NotScripts.) The reason it works so well for security purposes is that malicious web sites can use these scripts as attack vectors in order to cause a browser crash and to gain access to your computer. By blocking these scripts you can make yourself significantly safer on the web.
Keep in mind that for most of us, blocking all scripts
would result in a fairly broken internet, given that many websites, such as Google, Gmail, Twitter, Life hacker and others rely on JavaScript to load their pages. No Script allows you to block 3rd-party scripts or even just from unsafe domains. You can manage these settings in detail, giving you the maximum security with minimum inconvenience.

Web of Trust (All Browsers)

Web of Trust is another plug-in that does something different than the above. Instead of halting any attack vectors, it lets you know when the website you are visiting is trustworthy or not. That way if you happen across a website that you think is trustworthy and even look it, you get a warning that you should not submit your personal information to the site.
They rely on user-ratings to rate their site and in my experience it has been very accurate and useful.
Note: Add the above extension only through the browsers extensions

Tips :

  • Always use the secured web browser to avoid the risks .Using secure browser we can gain access the information and resources that are available on the Internet and can have safe browsing over Internet.
  • To avoid your PC being compromised and becoming a weapon to attack other machines, web browser and the Internet users are advised to: ensure that your operating system and key system components such as the web browser is fully patched and up to date.
  • Install a personal firewall along with anti-virus software with the latest virus signatures that can detect malware such as key loggers.
  • Regularly change your passwords with the combinations of letters, numbers and special case characters in critical web applications if a one-time password system is not supported.
  • Turn off all JavaScript or ActiveX support in your web browser before you visit any unknown websites.
  • Most vendors give you the option to download their browsers directly from their websites. Make sure to verify the authenticity of the site before downloading any files.
  • To additional minimize risk; follow the latest good security practices, like using a personal firewall, Updating to the latest browser with security patches installed and keeping anti-virus software up to date with regular scanning the entire system.

Address

Centre for Development of Advanced Computing, (C-DAC)
Plot No. 6 & 7, Hardware Park, Sy No. 1/1, Srisailam Highway, Pahadi Shareef Via Keshavagiri (Post) Hyderabad - 500005

Phone

Phone: 040-23737124/25
Mobile: 040-23737124/25

TollFree

1800 425 6235

Email Address

isea[at]cdac[dot]in