It didn’t take long until I switched back to IE… no problems with FF, really, but I just don’t see the point in using it! I couldn’t see any obvious advantages. Also, Microsoft Update runs smooth with IE. Being concerned about scripts and stuff I don’t know much about, I might just check out the many options IE has, instead of switching to something else. However, it is a bit tempting to try Opera as well, not the least because someone here - Soya - actually uses it. I’ve never heard anyone else who uses it (but I happen to associate with people who has none or little computer interest…).
LM, you can set IE to prompt for every ActiveX event on a web site! But that will cause quite a lot of prompts. Do you have ActiveX disabled? Doesn’t that strongly delimit what you can do on the Internet? I’m not sure where ActiveX is actually useful, I only know that e.g. Gmail uses it (even though it is possible to use plain HTML too), as well as Google Picasa where I’ve uploaded photo albums.
gordon, “SHOW HIDDEN FILES and SHOW FILE-EXTENSION” is truly a good idea, it provides better control. I tried the program you linked to, it seems to be good but I had already considered most of the options in other ways.
So my recipe is; an MS patched IE7, bad sites (and scripts) blocked by SpywareBlaster, and - not the least - common sense…
From an other thread:
So it is actually not available at all in Opera? Perhaps I could live without ActiveX, like I wrote to LM above, I suppose it is seldom really necessary. If it is necessary after all, then maybe one should use an other website with the same service/info/purpose… (I could live with Gmail in HTML )
I’m not all that techy with Opera, but I’ve seen some members here who are. It’s not as bad as you think without ActiveX - Believe me, I was once like you. For example, if you visit youtube to watch some video clips, it states that ActiveX is required. However, you just need to install the flash plugin to play it. So far, only a few sites like 3 that I visit don’t support Opera.
We’re a little OT now since this is the AV/Malware Products board 88)
So have a read of this and consider installing a good hosts file:
Then you do not have the same need for Spyware Blaster if you really want to use a browser that it doesn’t help.
I think if you look around the security sites, you will find that Firefox is the most recommended. It also doesn’t allow ActiveX.
Hosts file isn’t needed with Opera since has its own url filter file - but you can basically copy & paste the contents. I have my own filter list to block not only ads but websites.
Part of my antimalware solution (in addition to a firewall) - just to keep it on-topic for Soya - involves using Firefox (not IE), with NoScript (nothing runs that I don’t expressly permit), AdBlock (blocks ad content, referring, popups, etc), CookieSafe (controls all cookies, defines who/what/how/why/where/when), SafeDownload (allows access to AV, AS, etc to scan downloads on-demand, rather than waiting for the on-access engine), and Verification Engine (site legitimacy verification, as you know), kept up-to-date.
Regardless of the (limited) settings within IE, it still has inherent vulnerabilities. Although MS issues patches, they are pretty much guaranteed to be “a day late and a dollar short.” By that time you’re already buggered up (potentially); also a large number of MS updates in general have also caused more problems than they solved.
I’m a relative newcomer to FF, and certainly not the power user that some others like Toggie, pepoluan (and more) are. I agree with JamesFrance; FF is very highly rated for security, and Mozilla comes out with fixes/udpates much more quickly than IE. Plus, there’s such strong community involvement and “ownership” just like in Linux. The contributors want to make sure the product remains strong and viable (unlike the big MScorp that really doesn’t seem to).
Believe me, the browser topic is interesting and I was almost lured into the OT corner, but being a mod, ya know…
The SafeDownload is something I haven’t seen. Does it utilize your existing AV scanner or how is different from right-click on the file via a context menu to scan it?
SafeDownload and Addblock Plus are my other 2 add-ons also.
As I have CAVS, every time I download a program (i.e. BOClean 4.24 again yesterday) or even look at a pdf document, up pops a Black screen from CAVS, showing it being scanned.
Wow, it sounds a bit strange to me. I know very few IT people around me, who don’t !
To keep in line with topic: Using Opera and decent firewall is everything you really need. Don’t kill me, I mean it and I am a living proof of it. I myself run purchased NOD32 AV, spend daily 8+ hours on net and (I swear), never cought I virus. I really will stop using antivirus after my 2years licence has expired. OK, just for sure I should perhaps add that I also use M2 (opera built in) e-mail klient that is a substantial tribute to overal safety.
Ah, the never ending off topic temptations… To my defense, I think browsers do fit in the topic of “anything except a firewall”.
However, I just wish to inform: after reading the last posts here, I decided to give FF another try again. Using the add-ons Little Mac listed, I found it more and more appealing. Now I may be stuck, it’s a fantastic browser. The add-ons NoScript and AdBlock are really great! Since I reinstall Windows every two months or so (or on demand), I don’t hesitate to tweak the system: IE is now more or less removed from my system (but not the folder >:(), including all patches and many registry entries. Now there is still a lot to discover in FF, e.g. I don’t know yet how to block all cookies except for the essential ones (yep, CookieSafe is installed too).
I guess there are several people here who use Opera, I just don’t remember any post I have read, except for Soya’s.
On topic, finally
Probably, many of you already know what you need for protection. I’ve never really known, but it is getting clearer: the most essential things should be the Comodo Firewall (soon v3!), and a browser that gives control - a browser that have a touch of the Comodo white list philosophy; don’t allow anything except from trusted sites. BOClean for extra security. Probably CAVS later this year, when BOClean is integrated.
I’ll ponder less now, and let some of the paranoia go away ;D
SafeDownload allows you to select up to 4 different resident scanners to scan with. No, there’s really no difference between the end result of using that, or doing an on-demand scan of the file yourself. The only difference is that it’s automatic; no user interaction required, and you can have it scanned by multiple scanners, virtually simultaneously (so if you have separate AV and AS scanners, you can use both on full auto).
LA, glad to hear your 2nd venture into FF is going better. I have found it helpful to read the info on NoScript’s website, about how to configure that add-on; it was very informative.
To insure that all unwanted cookies are blocked, click the ‘Deny cookies globally’ menu item immediately after installing cookiesafe. That will automatically block all cookies unless you specifically add an exception for a website. Anytime you visit a website that needs to set cookies simply click on the cookiesafe icon and click Allow, Session, or Temporarily Allow. You can choose to enable ‘Refresh page after permissions change’ in the options window. That will refresh the webpage you are viewing anytime you add an exception.
By using the extension in this way it eliminates the need to use ‘Blocked’ exceptions. Since all cookies are blocked by default the only exceptions that you should need in your exceptions list are ‘Allow’ and ‘Session’.
You can also have fun with FF, by using different themes, and trying out different extensions to just do neat stuff (such as ForecastFox for weather conditions). But that’s more the topic for one of the browser threads (there is a Firefox thread in the General section, which you might find interesting).
I still use realtime AV to be on the safe side. But I would like to point out also that while i agree to many of your points it is not necessary to go on questionable sites to get infected.
Thing like these really points out that in order to accomplish security critical operations (eg secure banking) you need to use some live-cd OS to do that
I personally consider myspace to be a questionable site… ;D But agreed, the exploits shown there are not dependant on just that website; they could be accomplished on virtually any website.
Online banking via Live CD OS, huh? Is there anyone besides Linux that has Live CDs?
What about a browser (or system) sandbox? Wouldn’t that remove the web-related threat?
Fine. Go ahead. Better for me if the topic starter and another mod agrees. 88)
Back to the WindizUpdate thingy - does it only update “critical” patches or all of them including the Optional Updates as if done through the Windows/Microsoft Updates site? If it’s so great, can I still update if I wanted to remove the WGA that’s installed on my computer or no?
I there any OS than *nix?
Just kidding ;D There is a way to get windows on a usb stick or a cd
But I’m looking for Haiku, Reactos and Hurd. Haiku R1 wil be out in a year ot two I hope.
We all know that windows is the most widespread (thus targeted) OS around so using another os would be a better choice. An updated windows livecd will usually be safe until a new sasser comes around.
Yep. That should work, but as long is a software there could be a way to break it. The oldest sandbox around is the java sandbox but every now and then a new flaw is discovered.
For example it was discovered a flaw in a sandbox used to analyze if an app is safe. That code had no problem in the sandbox so if the exploit was running in a sandboxed app it would have posed no problem. But still they found a way to defeat that sandbox purpose.
Sandboxes provide a great level of protection against many common threats but an attacker doesn’t need to infect the system, sometimes it needs only a username and a password.
I mean, does a sandboxed app prevent some exploit to get all password saved in a browser and sent them to a site by means of http post?
I certainly agree that there are softwares and good behaviours that help keeping our systems clean and safe but a livecd is a way simpler solution, it is effective, it could be easily updated and it is indipendent from your surfing behaviour, security knowledge or software protection. You can use it on a foreign system too.
Hmm, ReactOS looks intriguing, but if it’s built to be like Windows and utilize Windows drivers, etc, would it not have at least some of the same vulnerabilities? Or am I over-thinking it? That’s kind of OT anyway, but it is an interesting idea.
As to the sandbox vulnerabilities, that is VERY interesting that they’re so easy to exploit. But don’t you have to deliberately save whatever is in the sandbox to the actual computer? If you didn’t know you downloaded something, you wouldn’t save it, right? Of course, that doesn’t help for something you knew you downloaded (like a picture or something otherwise ‘benign’).
Passwords saved in browsers. Now there’s a foolish thought (IMO). I understand the desire to keep them handy, but why keep them in the browser? Ah, if only iVault worked with Firefox…
I hope to see the final build of Reactos, it should have the same pros and cons of opensource regards security but I have the feeling it was targeted. :-X
Regarding that specific advisory you are correct. I really don’t know of any advisories about other sandboxes (excluding sandoboxes not passing some reviews) but I think is only a matter of resources. If is there a widespread solution the accumulation of hacking resources (time/units) will eventually reach a critical point. I can rely only on advisories, still every now and then some security exploit pops out of nowhere and trashes previous secure habits.
I know now is way risky to save password in browsers, but is still a widespread behaviour. And it is the same for email clients. I know that images from unknown sender are usually not showed but how you can be sure about your friends’ level of protection? Also if you don’t save password in the mail client, you still write it when you get the mail and it will be avaiable until you close the mail client.
One thing to mention is that sandboxes are based on the assumption that softwares can be exploited, but the sandbox itself is a software.
We are really reaching a point where we cannot use the internet as intended and we need to review each site code before allowing it.