Browser security

Last updated

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) [1] with a secondary payload using Adobe Flash. [2] Security exploits can also take advantage of vulnerabilities (security holes) that are commonly exploited in all browsers (including Google Chrome, [3] Microsoft Internet Explorer, [4] Mozilla Firefox, [5] Opera, [6] and Safari [7] ).

Contents

Security

Web browsers can be breached in one or more of the following ways:

The browser may not be aware of any of the breaches above and may show user a safe connection is made.

Whenever a browser communicates with a website, the website, as part of that communication, collects some information about the browser (in order to process the formatting of the page to be delivered, if nothing else). [10] If malicious code has been inserted into the website's content, or in a worst-case scenario, if that website has been specifically designed to host malicious code, then vulnerabilities specific to a particular browser can allow this malicious code to run processes within the browser application in unintended ways (and remember, one of the bits of information that a website collects from a browser communication is the browser's identity- allowing specific vulnerabilities to be exploited). [11] Once an attacker is able to run processes on the visitor's machine, then exploiting known security vulnerabilities can allow the attacker to gain privileged access (if the browser isn't already running with privileged access) to the "infected" system in order to perform an even greater variety of malicious processes and activities on the machine or even the victim's whole network. [12]

Breaches of web browser security are usually for the purpose of bypassing protections to display pop-up advertising [13] collecting personally identifiable information (PII) for either Internet marketing or identity theft, website tracking or web analytics about a user against their will using tools such as web bugs, Clickjacking, Likejacking (where Facebook's like button is targeted), [14] [15] [16] [17] HTTP cookies, zombie cookies or Flash cookies (Local Shared Objects or LSOs); [2] installing adware, viruses, spyware such as Trojan horses (to gain access to users' personal computers via cracking) or other malware including online banking theft using man-in-the-browser attacks.

In depth study of vulnerabilities in Chromium web-browser indicates that, Improper Input Validation (CWE-20) and Improper Access Control (CWE-284) are the most occurring root causes for security vulnerabilities. [18] Furthermore, among vulnerabilities examined at the time of this study, 106 vulnerabilities occurred in Chromium because of reusing or importing vulnerable versions of third party libraries.

Vulnerabilities in the web browser software itself can be minimized by keeping browser software updated, [19] but will not be sufficient if the underlying operating system is compromised, for example, by a rootkit. [20] Some subcomponents of browsers such as scripting, add-ons, and cookies [21] [22] [23] are particularly vulnerable ("the confused deputy problem") and also need to be addressed.

Following the principle of defence in depth, a fully patched and correctly configured browser may not be sufficient to ensure that browser-related security issues cannot occur. For example, a rootkit can capture keystrokes while someone logs into a banking website, or carry out a man-in-the-middle attack by modifying network traffic to and from a web browser. DNS hijacking or DNS spoofing may be used to return false positives for mistyped website names, or to subvert search results for popular search engines. Malware such as RSPlug simply modifies a system's configuration to point at rogue DNS servers.

Browsers can use more secure methods of network communication to help prevent some of these attacks:

Perimeter defenses, typically through firewalls and the use of filtering proxy servers that block malicious websites and perform antivirus scans of any file downloads, are commonly implemented as a best practice in large organizations to block malicious network traffic before it reaches a browser.

The topic of browser security has grown to the point of spawning the creation of entire organizations, such as The Browser Exploitation Framework Project, [24] creating platforms to collect tools to breach browser security, ostensibly in order to test browsers and network systems for vulnerabilities.

Plugins and extensions

Although not part of the browser per se, browser plugins and extensions extend the attack surface, exposing vulnerabilities in Adobe Flash Player, Adobe (Acrobat) Reader, Java plugin, and ActiveX that are commonly exploited. Researchers [25] have extensively studied the security architecture of various web-browsers in particular those relying on plug-and-play designs. This study has identified 16 common vulnerability types, and 19 potential mitigations. Malware may also be implemented as a browser extension, such as a browser helper object in the case of Internet Explorer. [26] In various other exploits websites which were designed to look authentic and included rogue 'update Adobe Flash' popups designed as visual cues to download malware payloads in their place. [27] Some browsers like Google Chrome and Mozilla Firefox can block—or warn users of—insecure plugins.

Adobe Flash

An August 2009 study by the Social Science Research Network found that 50% of websites using Flash were also employing Flash cookies, yet privacy policies rarely disclosed them, and user controls for privacy preferences were lacking. [28] Most browsers' cache and history delete functions do not affect Flash Player's writing Local Shared Objects to its own cache, and the user community is much less aware of the existence and function of Flash cookies than HTTP cookies. [29] Thus, users having deleted HTTP cookies and purged browser history files and caches may believe that they have purged all tracking data from their computers while in fact Flash browsing history remains. As well as manual removal, the BetterPrivacy add-on for Firefox can remove Flash cookies. [2] Adblock Plus can be used to filter out specific threats [13] and Flashblock can be used to give an option before allowing content on otherwise trusted sites. [30]

Charlie Miller recommended "not to install Flash" [31] at the computer security conference CanSecWest. Several other security experts also recommend to either not install Adobe Flash Player or to block it. [32]

Password security model

The contents of a web page are arbitrary and controlled by the entity owning the domain named displayed in the address bar. If HTTPS is used, then encryption is used to secure against attackers with access to the network from changing the page contents en route. When presented with a password field on a web page, a user is supposed to look at the address bar to determine whether the domain name in the address bar is the correct place to send the password. [33] For example, for Google's single sign-on system (used on e.g. youtube.com), the user should always check that the address bar says "https://accounts.google.com" before inputting their password.

An un-compromised browser guarantees that the address bar is correct. This guarantee is one reason why browsers will generally display a warning when entering fullscreen mode, on top of where the address bar would normally be, so that a fullscreen website cannot make a fake browser user interface with a fake address bar. [34]

LiveCD

LiveCDs, which run an operating system from a non-writable source, typically come with Web browsers as part of their default image. If the original LiveCD image is free of malware, all of the software used, including the Web browser, will load free of malware every time the LiveCD image is booted.

Browser hardening

Browsing the Internet as a least-privilege user account (i.e. without administrator privileges) limits the ability of a security exploit in a web browser from compromising the whole operating system. [35]

Internet Explorer 4 and later allows the blocklisting [36] [37] [38] and allowlisting [39] [40] of ActiveX controls, add-ons and browser extensions in various ways.

Internet Explorer 7 added "protected mode", a technology that hardens the browser through the application of a security sandboxing feature of Windows Vista called Mandatory Integrity Control. [41] Google Chrome provides a sandbox to limit web page access to the operating system. [42]

Suspected malware sites reported to Google, [43] and confirmed by Google, are flagged as hosting malware in certain browsers. [44]

There are third-party extensions and plugins available to harden even the latest browsers, [45] and some for older browsers and operating systems. Whitelist-based software such as NoScript can block JavaScript and Adobe Flash which is used for most attacks on privacy, allowing users to choose only sites they know are safe - AdBlock Plus also uses whitelist ad filtering rules subscriptions, though both the software itself and the filtering list maintainers have come under controversy for by-default allowing some sites to pass the pre-set filters. [46] The US-CERT recommends to block Flash using NoScript. [47]

Fuzzing

Modern web browsers undergo extensive fuzzing to uncover vulnerabilities. The Chromium code of Google Chrome is continuously fuzzed by the Chrome Security Team with 15,000 cores. [48] For Microsoft Edge and Internet Explorer, Microsoft performed fuzzed testing with 670 machine-years during product development, generating more than 400 billion DOM manipulations from 1 billion HTML files. [49] [48]

See also

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Web browser</span> Software used to navigate the internet

A web browser is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on a range of devices, including desktops, laptops, tablets, and smartphones. In 2020, an estimated 4.9 billion people have used a browser. The most used browser is Google Chrome, with a 64% global market share on all devices, followed by Safari with 19%.

<span class="mw-page-title-main">Firefox</span> Free and open-source web browser by Mozilla

Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and anticipated web standards. Firefox is available for Windows 10 or later versions, macOS, and Linux. Its unofficial ports are available for various Unix and Unix-like operating systems, including FreeBSD, OpenBSD, NetBSD, illumos, and Solaris Unix. It is also available for Android and iOS. However, as with all other iOS web browsers, the iOS version uses the WebKit layout engine instead of Gecko due to platform requirements. An optimized version is also available on the Amazon Fire TV as one of the two main browsers available with Amazon's Silk Browser.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

<span class="mw-page-title-main">SpywareBlaster</span> Microsoft Windows software

SpywareBlaster is an antispyware and antiadware program for Microsoft Windows designed to block the installation of ActiveX malware.

<span class="mw-page-title-main">FlashGet</span> Freeware download manager for Windows

FlashGet was a freeware download manager for Microsoft Windows. It was originally available in either paid or ad-supported versions, the latter of which included an Internet Explorer Browser Helper Object (BHO).

Mozilla Firefox has features which distinguish it from other web browsers, such as Google Chrome, Safari, and Microsoft Edge.

Link prefetching allows web browsers to pre-load resources. This speeds up both the loading and rendering of web pages. Prefetching was first introduced in HTML5.

NoScript is a free and open-source extension for Firefox- and Chromium-based web browsers, written and maintained by Giorgio Maone, a software developer and member of the Mozilla Security Group.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web pages.

A local shared object (LSO), commonly called a Flash cookie, is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player since version 6.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

<span class="mw-page-title-main">Private browsing</span> Privacy feature in some web browsers

Private browsing, also known as incognito mode or private mode, is a feature available in web browsers that allows users to browse the internet without leaving any traces of their online activity on their device. In this mode, the browser initiates a temporary session separate from its main session and user data. The browsing history is not recorded, and local data related to the session, like Cookies and Web cache, are deleted once the session ends. The primary purpose of these modes is to ensure that data and history from a specific browsing session do not remain on the device or get accessed by another user of the same device.

<span class="mw-page-title-main">Clickjacking</span> Malicious technique of tricking a Web user

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2023. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

<span class="mw-page-title-main">Comodo Dragon</span> Web browser based on the Chromium web browser

Comodo Dragon is a freeware web browser. It is based on Chromium and is produced by Comodo Group. Sporting a similar interface to Google Chrome, Dragon does not implement Chrome's user tracking and some other potentially privacy-compromising features, replacing them with its own user tracking implementations, and provides additional security measures, such as indicating the authenticity and relative strength of a website's Secure Sockets Layer (SSL) certificate.

<span class="mw-page-title-main">Google Safe Browsing</span> Service that warns about malicious URLs

Google Safe Browsing is a service from Google that warns users when they attempt to navigate to a dangerous website or download dangerous files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem. This protection works across Google products and is claimed to “power safer browsing experiences across the Internet”. It lists URLs for web resources that contain malware or phishing content. Browsers like Google Chrome, Safari, Firefox, Vivaldi, Brave, and GNOME Web use these lists from Google Safe Browsing to check pages against potential threats. Google also provides a public API for the service.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

References

  1. Maone, Giorgio. "NoScript :: Add-ons for Firefox". Mozilla Add-ons . Mozilla Foundation.
  2. 1 2 3 "BetterPrivacy :: Add-ons for Firefox". Mozilla Foundation .[ permanent dead link ]
  3. Messmer, Ellen and NetworkWorld. "Google Chrome Tops 'Dirty Dozen' Vulnerable Apps List" [ permanent dead link ]. Retrieved 19 November 2010.
  4. Bradly, Tony. "It's Time to Finally Drop Internet Explorer 6" Archived 15 October 2012 at the Wayback Machine . Retrieved 19 November 2010.
  5. Keizer, Greg. Firefox 3.5 Vulnerability Confirmed Archived 28 October 2010 at the Wayback Machine . Retrieved 19 November 2010.
  6. Skinner, Carrie-Ann. Opera Plugs "Severe" Browser Hole Archived 20 May 2009 at the Wayback Machine . Retrieved 19 November 2010.
  7. "Browser". Mashable. Archived from the original on 2 September 2011. Retrieved 2 September 2011.
  8. Smith, Dave (21 March 2013). "The Yontoo Trojan: New Mac OS X Malware Infects Google Chrome, Firefox And Safari Browsers Via Adware". IBT Media Inc. Archived from the original on 24 March 2013. Retrieved 21 March 2013.
  9. Goodin, Dan. "MySQL.com breach leaves visitors exposed to malware". The Register . Archived from the original on 28 September 2011. Retrieved 26 September 2011.
  10. Clinton Wong. "HTTP Transactions". O'Reilly. Archived from the original on 13 June 2013.
  11. "9 Ways to Know Your PC is Infected with Malware". Archived from the original on 11 November 2013.
  12. "Symantec Security Response Whitepapers". Archived from the original on 9 June 2013.
  13. 1 2 Palant, Wladimir. "Adblock Plus :: Add-ons for Firefox". Mozilla Add-ons . Mozilla Foundation.
  14. "Facebook privacy probed over 'like,' invitations". CBC News. 23 September 2010. Archived from the original on 26 June 2012. Retrieved 24 August 2011.
  15. Albanesius, Chloe (19 August 2011). "German Agencies Banned From Using Facebook, 'Like' Button". PC Magazine . Archived from the original on 29 March 2012. Retrieved 24 August 2011.
  16. McCullagh, Declan (2 June 2010). "Facebook 'Like' button draws privacy scrutiny". CNET News. Archived from the original on 5 December 2011. Retrieved 19 December 2011.
  17. Roosendaal, Arnold (30 November 2010). "Facebook Tracks and Traces Everyone: Like This!". SSRN   1717563.
  18. Santos, J. C. S.; Peruma, A.; Mirakhorli, M.; Galstery, M.; Vidal, J. V.; Sejfia, A. (April 2017). "Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird". 2017 IEEE International Conference on Software Architecture (ICSA). pp. 69–78. doi:10.1109/ICSA.2017.39. ISBN   978-1-5090-5729-0. S2CID   29186731.
  19. State of Vermont. "Web Browser Attacks". Archived from the original on 13 February 2012. Retrieved 11 April 2012.
  20. "Windows Rootkit Overview" (PDF). Symantec. Archived from the original (PDF) on 16 May 2013. Retrieved 20 April 2013.
  21. "Cross Site Scripting Attack". Archived from the original on 15 May 2013. Retrieved 20 May 2013.
  22. Lenny Zeltser. "Mitigating Attacks on the Web Browser and Add-Ons". Archived from the original on 7 May 2013. Retrieved 20 May 2013.
  23. Dan Goodin (14 March 2013). "Two new attacks on SSL decrypt authentication cookies". Archived from the original on 15 May 2013. Retrieved 20 May 2013.
  24. "beefproject.com". Archived from the original on 11 August 2011.
  25. Santos, Joanna C. S.; Sejfia, Adriana; Corrello, Taylor; Gadenkanahalli, Smruthi; Mirakhorli, Mehdi (2019). "Achilles' heel of plug-and-Play software architectures: A grounded theory based approach". Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ESEC/FSE 2019. New York, NY, US: ACM. pp. 671–682. doi:10.1145/3338906.3338969. ISBN   978-1-4503-5572-8. S2CID   199501995.
  26. "How to Create a Rule That Will Block or Log Browser Helper Objects in Symantec Endpoint Protection". Symantec.com. Archived from the original on 14 May 2013. Retrieved 12 April 2012.
  27. Aggarwal, Varun (30 April 2021). "Breaking: Fake sites of 50 Indian News portals luring gullible readers". Economic Times CIO. Archived from the original on 26 February 2023. Retrieved 26 February 2023.
  28. Soltani, Ashkan; Canty, Shannon; Mayo, Quentin; Thomas, Lauren; Hoofnagle, Chris Jay (10 August 2009). "Soltani, Ashkan, Canty, Shannon, Mayo, Quentin, Thomas, Lauren and Hoofnagle, Chris Jay: Flash Cookies and Privacy". SSRN   1446862.
  29. "Local Shared Objects -- "Flash Cookies"". Electronic Privacy Information Center. 21 July 2005. Archived from the original on 16 April 2010. Retrieved 8 March 2010.
  30. Chee, Philip. "Flashblock :: Add-ons for Firefox". Mozilla Add-ons . Mozilla Foundation. Archived from the original on 15 April 2013.
  31. "Pwn2Own 2010: interview with Charlie Miller". 1 March 2010. Archived from the original on 24 April 2011. Retrieved 27 March 2010.
  32. "Expert says Adobe Flash policy is risky". 12 November 2009. Archived from the original on 26 April 2011. Retrieved 27 March 2010.
  33. John C. Mitchell. "Browser Security Model" (PDF). Archived (PDF) from the original on 20 June 2015.
  34. "Using the HTML5 Fullscreen API for Phishing Attacks » Feross.org". feross.org. Archived from the original on 25 December 2017. Retrieved 7 May 2018.
  35. "Using a Least-Privileged User Account". Microsoft. 29 June 2009. Archived from the original on 6 March 2013. Retrieved 20 April 2013.
  36. "How to Stop an ActiveX control from running in Internet Explorer". Microsoft. Archived from the original on 2 December 2014. Retrieved 22 November 2014.
  37. "Internet Explorer security zones registry entries for advanced users". Microsoft. Archived from the original on 2 December 2014. Retrieved 22 November 2014.
  38. "Out-of-date ActiveX control blocking". Microsoft. Archived from the original on 29 November 2014. Retrieved 22 November 2014.
  39. "Internet Explorer Add-on Management and Crash Detection". Microsoft. 8 October 2009. Archived from the original on 29 November 2014. Retrieved 22 November 2014.
  40. "How to Manage Internet Explorer Add-ons in Windows XP Service Pack 2". Microsoft. Archived from the original on 2 December 2014. Retrieved 22 November 2014.
  41. Matthew Conover. "Analysis of the Windows Vista Security Model" (PDF). Symantec Corporation. Archived from the original (PDF) on 16 May 2008. Retrieved 8 October 2007.
  42. "Browser Security: Lessons from Google Chrome". Archived from the original on 11 November 2013.
  43. "Report malicious software (URL) to Google". Archived from the original on 12 September 2014.
  44. "Google Safe Browsing". Archived from the original on 14 September 2014.
  45. "5 Ways to Secure Your Web Browser". ZoneAlarm. 8 May 2014. Archived from the original on 7 September 2014.
  46. "Adblock Plus Will Soon Block Fewer Ads — SiliconFilter". Siliconfilter.com. 12 December 2011. Archived from the original on 30 January 2013. Retrieved 20 April 2013.
  47. "Securing Your Web Browser". Archived from the original on 26 March 2010. Retrieved 27 March 2010.
  48. 1 2 Sesterhenn, Eric; Wever, Berend-Jan; Orrù, Michele; Vervier, Markus (19 September 2017). "Browser Security WhitePaper" (PDF). X41D SEC GmbH. Archived (PDF) from the original on 1 February 2022. Retrieved 31 August 2018.
  49. "Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)". Microsoft. 15 October 2017. Archived from the original on 1 September 2018. Retrieved 31 August 2018.

Further reading