The internet browser security thread

Hey, as we time after time get off topic in several threads ending up with browser discussions, I thought we should have this thread on its own, to gather ideas/questions/answers. I don’t know if you’re interested in this, as much has been treated already (the very past few days) in other threads, but anyway… here’s the thread.

I’ve recently learned something new regarding scripts - JavaScript, Java, Flash, ActiveX and so on. These things are often allowed in Internet Explorer by default, not considering the hazards. These threats can be mitigated by spyware protection plugins, but I suppose the threats can only be mitigated and not really taken away. Besides, it depends on updates from the antispyware provider. To express a preferred solution I’ve come up with the Comodo white list analogy; only allow what you know is safe.

As I now use Firefox since two days, new opportunities of security have come up, thanks to - most of all - NoScript. Consequently, my browser only allows what I tell it to allow. The same goes for cookies; all are blocked except for the exceptions.

What would you like to add here, as really essential plugins - and opinion input in general - to get the safest internet browser available? What about the alternatives, Opera and Avant? The new Netscape 9.0 beta? (I suppose we can hardly consider IE7 as an alternative here… :D)

/LA

Ah, you know what I would like to see, is something (besides a proxy), that would not slow down your computer/browsing, but would “mask” the normally-available information that your browser provides.

I don’t know the full extent of what the browser does provide, but I know it gives IP address, and allows some sort of information about the browser itself, the OS, and so on. For instance, running NoScript, if you go to a site that requires something like Java, you will get an alert - from the website - that you must have Java enabled. How would they know, except your browser told them? Also, if you go to a site that does not support Firefox (requires IE or Netscape - I’ve seen this from some banking sites, unfortunately), you will get an alert - from the website - that your browser is not supported. How would they know, unless your browser told them?

Thus, I’d like the browser to not give any info, but without the use of a proxy. Every one that I know of is either a local or remote proxy of some sort. I’d like to see a browser plugin that just cuts right to the chase.

It may not be possible, but I’d still like to see it…

LM

Oh, I’ve never thought of this aspect. Do you consider this as a matter of integrity? I took for granted that this was cookie related - no cookies = no info to the web site host. But obviously, surfing totally anonymously isn’t really easy, unless one knows how things work. I don’t even know anything about proxy servers so I can currently kiss anonymousity (hey, is that the correct word?) good bye…

/LA

simple! start using IPSec! well the protocol is developed and it’s time to switch!And the proxy only hides your IP ryt! still other data is available u know! sniffers, MIM attacks! I dont think they ll ever create a way to secure the client server technology 100%

well who knows! Stranger things have happened!

Dam

In reality, what I want probably wouldn’t work. And it’s probably not a big deal. However, it’s just kind of irritating. Many years ago in the US, there was a thing for phones called a ‘party line.’ I don’t know if it was supposed to be “good” or not, but effectively you shared a line with all your neighbors. Thus, you could hear other people talking any time you picked up the phone. Kind of fuzzy, but if you were quiet and listened, you could make out what they said.

It’s like trying to have a private, sensitive conversation in your local coffee shop. There’s just a certain amount of invasion.

This, to me, is kind of like that. The internet is, in a sense, a public place. We tend to think it’s not, or want it not to be. Here’s an article that provides some more insight. I just don’t want others “listening in” on my internet ‘conversations.’ Since I don’t have a neat little techno-device to erase their memory of me ever existing, and implanting a false one in its place… (:KWL) http://www.mozilla.org/projects/security/pki/psm/help_21/privacy_help.html

LM

Moving on,

I guess Firefox is the most common alternative for non IE-users (Mac users not reallt included in my thought). Why chose Opera, or Avant? Are there any special advantages that you can’t even get with plugins i Firefox?

Opera Advantages: smaller download and installed size, speed, least reported vulnerabilities, resource usage. Probably others, but I wouldn’t know (of the degree of the advantages).

Interesting aspects, especially resource usage and security holes.

LA

The only draw back in Firefox is the memory leaks it has! And sometimes it being a resource hog! But that’s how it’s developed as well! If you have more memory it’ll use more! If you have less it’ll use less! But always you can customize it according to your needs! And from other aspects like functionality and security I think it’s the best in the market!

My second option would be Opera! But I don’t really don’t like the links showing the “location” on top of it. Really annoying. It might be customizable But am not sure of it! ( Now that’s where firefox comes into play about:config and so many ways to customize it! That’s why it’s my number one choice!

Dam

You mean all this info ? :

These FireFox extensions can help you against sites tracking where you came from
by either stripping or spoofing the referrer :
https://addons.mozilla.org/en-US/firefox/addon/1999
(gives a context-menu : “open link in new tab without referrer”)

This one is a lot more advanced, it lets you control
the referrer on a pr site basis :
http://www.stardrifter.org/refcontrol/

Test it here : Referer Test

This one lets you spoof the user-agent :

You can pretend to be using IE, Opera, etc etc …
You can even pretend to be the google-spider, that might give you access
to some news-sites etc that require registration to see the full article …

Masking the OS is a lot harder because that info is also provided by the header
of the packets you send so you would have to spoof ALL of them …

Note that some websites require the above info to work properly !!

To bad you don’t like the local-proxy approach :
Privoxy (http://www.privoxy.org/) can do all the above and then some…
Here is an example :

(click image to see larger)

http://img262.imageshack.us/img262/1691/noprivoxyoi9.th.png

Without Privoxy

(click image to see larger)

http://img504.imageshack.us/img504/6411/privoxypm6.th.png

With Privoxy
If you want to try Privoxy you might like the “switch-proxy” extension :

Besides all the filtering it can do, the local-proxy approach is by itself safer
than letting your browser connect directly to the tubes of the internets.
f.ex it gives good protection against browser-specific exploits from evil web-pages
and it lets IE-users have some of the benefits that FireFox users have with extensions .

Hiding your IP is a lot harder… in reality it can’t be done if you also want to receive data.
However, you CAN hide your REAL IP from the site you are visiting
by using either a proxy ( a “server” that you find somewhere, or one of the many web-proxys)
OR you could sign up with a VPN-service …

Here are two FREE VPN’s if you want to try before you buy :
https://www.secureix.com/
A PPTP-VPN, 256/kbit/s up/down bw-limit.
You also get e-mail with sender-whitelisting (no mail is delivered until you have approved
the sender !) and free news-server.

And this one, based on openVPN :
http://anchorfree.com/hotspot-shield/
(shows ads in your browser but you could block those )
At the moment “HotSpot Shield” is for US residents only (:AGY)

as an added privacy-bonus VPN’s make it almost impossible for
ISP’s to monitor (and/or “shape”) your traffic…

Well guess what? I know what you mean. Of course it can be disabled - the tooltips. It even saves a miniscule amount of cpu, but I keep it because I’m rather used to it replacing the status bar the bottom of standard browsers. Oh, and opera also has its own configuration: opera:config