Pondering: the actual need for anything except for a firewall

[Guest]

[LeoniAquila]

Soya,
Ah, the never ending off topic temptations... To my defense, I think browsers do fit in the topic of "anything except a firewall".

However, I just wish to inform: after reading the last posts here, I decided to give FF another try again.  Using the add-ons Little Mac listed, I found it more and more appealing. Now I may be stuck, it's a fantastic browser. The add-ons NoScript and AdBlock are really great! Since I reinstall Windows every two months or so (or on demand), I don't hesitate to tweak the system: IE is now more or less removed from my system (but not the folder  ), including all patches and many registry entries. Now there is still a lot to discover in FF, e.g. I don't know yet how to block all cookies except for the essential ones (yep, CookieSafe is installed too).

JanPoko,
I guess there are several people here who use Opera, I just don't remember any post I have read, except for Soya's.

On topic, finally
Probably, many of you already know what you need for protection. I've never really known, but it is getting clearer: the most essential things should be the Comodo Firewall (soon v3!), and a browser that gives control - a browser that have a touch of the Comodo white list philosophy; don't allow anything except from trusted sites. BOClean for extra security. Probably CAVS later this year, when BOClean is integrated.

I'll ponder less now, and let some of the paranoia go away 

[Little Mac]

Soya,

SafeDownload allows you to select up to 4 different resident scanners to scan with.  No, there's really no difference between the end result of using that, or doing an on-demand scan of the file yourself.  The only difference is that it's automatic; no user interaction required, and you can have it scanned by multiple scanners, virtually simultaneously (so if you have separate AV and AS scanners, you can use both on full auto).

LA, glad to hear your 2nd venture into FF is going better.  I have found it helpful to read the info on NoScript's website, about how to configure that add-on; it was very informative. 

For CookieSafe,

To insure that all unwanted cookies are blocked, click the 'Deny cookies globally' menu item immediately after installing cookiesafe. That will automatically block all cookies unless you specifically add an exception for a website. Anytime you visit a website that needs to set cookies simply click on the cookiesafe icon and click Allow, Session, or Temporarily Allow. You can choose to enable 'Refresh page after permissions change' in the options window. That will refresh the webpage you are viewing anytime you add an exception.

By using the extension in this way it eliminates the need to use 'Blocked' exceptions. Since all cookies are blocked by default the only exceptions that you should need in your exceptions list are 'Allow' and 'Session'.

You can also have fun with FF, by using different themes, and trying out different extensions to just do neat stuff (such as ForecastFox for weather conditions).  But that's more the topic for one of the browser threads (there is a Firefox thread in the General section, which you might find interesting).

LM

[gibran]

I still use realtime AV to be on the safe side. But I would like to point out also that while i agree to many of your points it is not necessary to go on questionable sites to get infected.

Look at Virus Forces MySpace to Remove Infected Profiles or Hacked Ad Seen on MySpace Served Spyware to a Million.

Finally have a look at WMF FAQ and keep in mind that many hackers discovered some ways to bypass DEP

Thing like these really points out that in order to accomplish security critical operations (eg secure banking) you need to use some live-cd OS to do that

[Little Mac]

I personally consider myspace to be a questionable site...   But agreed, the exploits shown there are not dependant on just that website; they could be accomplished on virtually any website.

Online banking via Live CD OS, huh?  Is there anyone besides Linux that has Live CDs? 

What about a browser (or system) sandbox?  Wouldn't that remove the web-related threat?

LM

[LeoniAquila]

Thanks, LM

[Soyabeaner]

Soya,
Ah, the never ending off topic temptations... To my defense, I think browsers do fit in the topic of "anything except a firewall".

Fine.  Go ahead.  Better for me if the topic starter and another mod agrees.

Back to the WindizUpdate thingy - does it only update "critical" patches or all of them including the Optional Updates as if done through the Windows/Microsoft Updates site?  If it's so great, can I still update if I wanted to remove the WGA that's installed on my computer or no?

[gibran]

Online banking via Live CD OS, huh?  Is there anyone besides Linux that has Live CDs? 

I there any OS than *nix?

Just kidding There is a way to get windows on a usb stick or a cd
But I'm looking for Haiku, Reactos and Hurd. Haiku R1 wil be out in a year ot two I hope.
We all know that windows is the most widespread (thus targeted) OS around so using another os would be a better choice. An updated windows livecd will usually be safe until a new sasser comes around.

What about a browser (or system) sandbox?  Wouldn't that remove the web-related threat?

Yep. That should work, but as long is a software there could be a way to break it. The oldest sandbox around is the java sandbox but every now and then a new flaw is discovered.

For example it was discovered a flaw in a sandbox used to analyze if an app is safe. That code had no problem in the sandbox so if the exploit was running in a sandboxed app it would have posed no problem. But still they found a way to defeat that sandbox purpose.

Sandboxes provide a great level of protection against many common threats but an attacker doesn't need to infect the system, sometimes it needs only a username and a password.
I mean, does a sandboxed app prevent some exploit to get all password saved in a browser and sent them to a site by means of http post?

I certainly agree that there are softwares and good behaviours that help keeping our systems clean and safe but a livecd is a way simpler solution, it is effective, it could be easily updated and it is indipendent from your surfing behaviour, security knowledge or software protection. You can use it on a foreign system too.

[Little Mac]

Hmm, ReactOS looks intriguing, but if it's built to be like Windows and utilize Windows drivers, etc, would it not have at least some of the same vulnerabilities?  Or am I over-thinking it?  That's kind of OT anyway, but it is an interesting idea.

As to the sandbox vulnerabilities, that is VERY interesting that they're so easy to exploit.  But don't you have to deliberately save whatever is in the sandbox to the actual computer?  If you didn't know you downloaded something, you wouldn't save it, right?  Of course, that doesn't help for something you knew you downloaded (like a picture or something otherwise 'benign').

Passwords saved in browsers.  Now there's a foolish thought (IMO).  I understand the desire to keep them handy, but why keep them in the browser?  Ah, if only iVault worked with Firefox....

LM

[LeoniAquila]

Hey guys,
http://forums.comodo.com/general_discussion_off_topic_anything_and_everything/the_internet_browser_security_thread-t9806.0.html

[gibran]

I hope to see the final build of Reactos, it should have the same pros and cons of opensource regards security but I have the feeling it was targeted.

Regarding that specific advisory you are correct. I really don't know of any advisories about other sandboxes (excluding sandoboxes not passing some reviews) but I think is only a matter of resources. If is there a widespread solution the accumulation of hacking resources (time/units) will eventually reach a critical point. I can rely only on advisories, still every now and then some security exploit pops out of nowhere and trashes previous secure habits.

I know now is way risky to save password in browsers, but is still a widespread behaviour. And it  is the same for email clients. I know that images from unknown sender are usually not showed but how you can be sure about your friends' level of protection? Also if you don't save password in the mail client, you still write it when you get the mail and it will be avaiable until you close the mail client.

One thing to mention is that sandboxes are based on the assumption that softwares can be exploited, but the sandbox itself is a software.

We are really reaching a point where we cannot use the internet as intended and we need to review each site code before allowing it.

[Tags:]