Jump to content

Browser Security

R__

By R__,
in Off-Topic

 Share

Recommended Posts

R__ Newbie

R__

Posted
Posted

The web is a very dangerous place. When you view a webpage, essentially what you are doing is asking a remote server to run code on your local machine(!). If that doesn't scare you, IT SHOULD. Here is why:

 

Cookies are not safe. Any website can pull all the cookies out of your browser. If you use online banking, you should be concerned, because porn sites tend to be the "legitimate" side of illegitimate organizations (to spell it out: criminals run porn sites). Porn sites are not even the biggest fear... I'm personally more afraid of Facebook than anything. Cookies can sometimes also contain session IDs, which would allow an evil person to rip cookies out of your browser, and log into a target website as you without actually logging in (this is less common, however).

 

Flash cookies: even more scary than normal cookies. Flash is the most insecure piece of your browsing experience. Adobe has a monopoly, and therefore no incentive to improve their product. Don't think they care about improving security; any security updates are to prevent PR nightmares. Flash cookies are impossible to clear from your browser directly; you must use Adobe's flash control panel: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

 

Cross-Site Scripting/XSS: This is my personal favourite. I have lots of evil PHP scripts on my webserver that show examples of this. Javascript can do a lot of amazing things, and a lot of evil things. Evil things like passing your session ID to a PHP script on my webserver that allows me to become you. Another really evil thing that can be done with this, is to have an evil script post messages to forums, or even Facebook, as you. Imagine your facebook status being changed to "I love child porn" for your boss to see. It's all doable through XSS.

 

Porn sites are the worst for running these attacks on you. Of course, I personally never go to any of those, and I'm sure nobody here does either, but be aware. This is where spam comes from: you surf some shady websites, and they rip out your cookies. Now they know all your email addresses, some of your online banking info, and your general online identity. I'm sure Facebook does it too.

 

Do your online banking with a LiveCD/LiveUSB operating system, in a secure browser. If that's too much for you, keep an install of Firefox around with the NoScript plugin installed. Don't do online banking with IE, unless you're a retard. In fact, don't use IE at all unless you're a retard. It's the least secure browser out there. Always has been, always will be (there are plenty of exploits in the wild that can easily be run on webservers that cause your wonderful IE browser to add you to a botnet and/or install all other kinds of malware).

 

Stay away from porn!

Link to comment
Share on other sites
deanb Contributor

deanb

Posted
Posted

http://www.bbc.co.uk/news/technology-12668552

 

Supposedly an EU Directive is coming into force in a few months that will dictate cookie use.

Not sure if it will be good or bad, since as the article points out many folks may soon be getting an increase in pop-ups n such asking if a site can track them or store cookies and such. Facebooks reaction will be interesting since many folks use it as their gateway to the internet, but they also have their fingers in many pies across the net tracking your likes and visits across the net.

Link to comment
Share on other sites
deanb Contributor

deanb

Posted
Posted

I doubt it. As it stands Do Not Track is pretty much just a ..placebo is the wrong word... Dummy button.

Mozilla went "It'd be neat if this feature existed". They need all the guys reliant on tracking your data to agree it's a neat idea too.

that's not my word that their's:

https://wiki.mozilla..._DoNotTrack_FAQ

Will turning on the header block tracking? No. When the header is turned on it will send a signal to the website that the user would like to opt-out of tracking by third parties. This does not force an opt-out or currently require that websites comply. Our hope is that by implementing this header other browsers and websites will adopt and maintain it.

 

Google have a similar solution, but since they not only make the browser but the tracking cookies too they have the edge for now with a system that actually works.

http://www.networkad...ing/opt_out.asp

(It uses that list there basically)

 

And since the Chrome/NIA version is up and running and more than just hopes and dreams I have a feeling that'd be the path EU would most likely take. From a government viewpoint it's certainly the much easier route. If companies are already self-complying with the NIA opt-out list, then it makes sense to let them continue with that then force then to sign up to Mozillas list too.

Link to comment
Share on other sites
  • 2 weeks later...
R__ Newbie

R__

Posted
  • Author
Posted

Using SSL increases the workload on both ends of the connection. If a site is even a little bit popular, the extra CPU load could mean additional servers are required to keep up with the traffic. Plus certificates are a pain...

Link to comment
Share on other sites
deanb Contributor

deanb

Posted
Posted

Well I have read the article (hence linking) and R____ is right, the encryption chews through CPU, and HTTPS can't cache, meaning it needs to be generated n resent every time.

It's why on the sites that are enabling it, it's optional not forced, and smaller sites can't use it or generally have little use for it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...