If you would like to read the other parts in this article series please go to:
- Web Browser Security Revisited (Part 2)
- Web Browser Security Revisited (Part 3)
- Web Browser Security Revisited (Part 4)
- Web Browser Security Revisited (Part 5)
- Web Browser Security Revisited (Part 6)
- Web Browser Security Revisited (Part 7)
Introduction
In many organizations, the web browser is the most-used Internet application, but some users and admins are basing their browser choice on outdated information. And even if you have selected the web browser with the most and best security features, that doesn’t mean you’re safe. Those features have to be properly configured and even then, there are vulnerabilities in every browser.
The security priority
I’ve written a number of articles for this site outlining security features in various browser versions, but in general the web browser is often thought of as a consumer application. Of course, it’s also an important business tool. It’s also one of the most commonly exploited attack vectors. Web browsers put your network and your users at risk because they connect to so many different sites all over the world, any of which could be (deliberately or unknowingly) hosting malware. Browsers run code – JavaScript, ActiveX controls, Flash, Silverlight, etc. It transmits (and in some cases stores) passwords used to access security-sensitive web sites. It may store information for automatic filling in of forms, including addresses, phone numbers, credit card and banking information.
Web browsers are complex pieces of software. On top of that, they run numerous add-ons (a.k.a. plug-ins or extensions) that are developed by third parties. This greatly extends the functionality of the browser but it also creates more risk of vulnerabilities and thus more opportunities for attackers to exploit those vulnerabilities.
The good news is that all of the popular web browsers – Chrome, Firefox, Internet Explorer, Opera, Safari (listed in alphabetical order) – are substantially more secure today than they were five years ago. All of the web browser vendors put a great deal of time and effort into building new security mechanisms into each new release of their software.
Interestingly, a recent poll from Sophos indicated that Mozilla Firefox is the web browser that’s “most trusted” by the survey respondents, garnering over 50 percent of the vote. Google Chrome was second with close to 27 percent, Microsoft Internet Explorer was third with 8 percent, Apple Safari coming in at a little over 7 percent, Opera at a bit less than 5 percent and Chromium (the base browser on which Chrome and the latest versions of Opera are built) with 3 percent.
But the browser most people trust isn’t necessarily the browser that’s most trustworthy. There have been a number of studies done by various organizations to compare the security of the popular browsers, and the results vary. Larry Seltzer, over on ZDNet, notes that “Contrary to aged conventional wisdom, recent versions of Internet Explorer are very secure, perhaps the most secure browser available.” And over on the Sophos blog, John Zorabedian opines that Chrome “could be” the most secure web browser. In the end, as InfoSecurity reported in July and as testing by NSS Labs showed, there actually is no definitive winner of the web browser security race. Some excel in one area, such as protecting users from phishing sites, while others do better at other things, such as keeping users from being tracked without their permission.
The moral of the story is that, regardless of which browser you or your end users choose, there will be risks involved in venturing out onto the world wide web. Those risks can be reduced, however, by proper configuration of the chosen browser and by practicing safe surfing habits. Now we’re going to take a closer look at each of the top browsers in their current incarnations, discuss the security measures they implement, and talk about how to configure them to make more secure (while preserving usability).
Browser Security Commonalities
No matter which browser(s) are in use in your organization, you know that the first key to security with any browser is to use the most recent version possible, because that’s the one that will have more security mechanisms built in. Vendors learn from past mistakes, and new versions will have patched vulnerabilities that were discovered in their predecessors.
However, new browser versions are released by some vendors seemingly every other day (Chrome is currently on version 30 – although by the time this is published, another new version might have been released – and it’s only been around since 2008). It’s not always easy to keep up when you have a large number of machines to update. Even with automatic updates enabled, sometimes the updates don’t work. If users are allowed to download and install programs (not a good idea, but sometimes necessary under some circumstances), some of them may have multiple browsers installed on their machines.
And of course, with the BYOD trend, users have far more control over laptops and tablets that they personally own, but which connect to your network and can present a risk to the rest of the network if they become infected. It’s important to have software inventory tools and a management system that will let you know what versions of which applications are installed on each machine at any given time. It’s also important to have policies in place that require BYOD users to keep their applications up to date, as well as requiring that they have adequate anti-malware software installed and in use.
Another problem is that it’s not just the web browser itself that can be exploited. Browser vendors release APIs to allow third parties to create extensions that give the browser even more functionality, such as the ability to display PDFs via the Adobe Reader plug-in. The bad news is that all of those plug-ins/extensions come with potential vulnerabilities of their own. That means updating the browser isn’t enough; you also need to ensure that any add-ons are up to date, as well.
Web browser vendors are concerned about security, but they also build their browsers to appeal to users. Sometimes the two are in conflict. End users often care more about features and functionality than security. They want to be able to do what they want or need to do on the web, and they don’t want to have to jump through security hoops in order to do it. Therefore even when a browser is capable of strong security, those security mechanisms may be turned off by default to improve the user experience.
Security mechanisms such as encryption can slow down performance. Blocking potentially dangerous web content such as ActiveX controls or JavaScript can cause some websites to not work properly. Requiring sites to be “white listed” in order to be accessed can prevent users from going to safe (but not listed) sites they need in order to get the information to do their work. Vendors don’t want to alienate users and drive them to another browser, so you may find some of the high security features present but disabled.
And it’s not only end users who get frustrated with the restrictions of security controls. Windows Vista demonstrated that, as “power users” – including many IT professionals, turned off User Account Control because it was too “in your face.” I don’t know how many times I’ve heard IT pros complain about how difficult it is to get Internet Explorer on recent versions of Windows Server to “just work,” because of the high security that’s enabled by default.
Most browsers now use some type of sandboxing or isolation method to prevent what goes on in one browser tab from affecting what happens in other open tabs and to restrict web pages from affecting the operating system. Each browser tab runs in its own separate process on the computer, instead of all in one as older browsers did. That’s why you’ll see multiple instances of the browser application if you look at the processes in Task Manager. We’ll discuss the ways different browsers accomplish this in more detail when we delve into the security features of each of the popular browsers later in this series.
If users need to have plug-ins or browser configurations that are less secure, in order to get their work done, one suggestion is to have them use a different browser (the one that is considered most secure) for any kind of sensitive transactions, such as financial transactions or those where they must send either personal information or confidential company information via web forms. The browser used for sensitive transactions should have no plug-ins or have them all disabled and all settings should be configured to their most secure levels. For even better security, the sensitive browser can be run in a virtual machine on an operating system that is dedicated to this one purpose.
Another issue is how browsers store information such as remembered passwords and personal information such as credit card numbers that is used for quickly filling in forms. Some browsers may store some information on the computer in unencrypted databases, which could potentially be accessed by an unauthorized person.
Summary
The issues discussed in Part 1 of this series are some that are common to all or many of the popular web browsers. In Part 2, we’ll start to drill down into the specific security features of the different browsers, beginning with Internet Explorer.
If you would like to read the other parts in this article series please go to:
