Komputer Sains    
   
Daftar Isi
(Sebelumnya) Browser Object ModelBrowser speed test (Berikutnya)

Browser security

Browser security is the application of Internet security to web browsers to protect computer systems, networks, and data, from malware or breaches of privacy. Web browser security exploits often use JavaScript - sometimes with cross-site scripting (XSS)[1] - sometimes with a secondary payload using Adobe Flash,[2] but can also take advantage of many other vulnerabilities (security holes) that are commonly exploited in all web browsers; including Mozilla Firefox,[3] Google Chrome,[4] Opera[5] and Microsoft Internet Explorer.[6]

Contents

Security

Web browsers can be breached in one or more of the following ways:

  • Operating system is breached and malware is reading/modifying the browser memory space in privilege mode
  • Operating system has a malware running as a background process, which is reading/modifying the browser memory space in privilege mode
  • Main browser executable can be hacked
  • Browser components may be hacked
  • Browser plugins can be hacked
  • Browser network communications could be intercepted outside the machine

Browser may not be aware of any of the breaches above and may show user a safe connection is made.

Breaches of web browser security are usually for the purpose of bypassing protections to display pop-up advertising[7] collecting personally identifiable information (PII) for either Internet marketing or identity theft, website tracking or web analytics about a user against their will using tools such as web bugs, Clickjacking, Likejacking (where Facebook's like button is targeted),[8][9][10][11] HTTP cookies, zombie cookies or Flash cookies (Local Shared Objects or LSOs);[2] installing adware, viruses, spyware such as Trojan horses (to gain access to users' personal computers via cracking) or other malware including online banking theft using man-in-the-browser attacks.

Vulnerabilities in the web browser software itself can be minimized by keeping browser software updated,[12] but will not be sufficient if the underlying operating system is compromised, for example, by a rootkit.[13] Some subcomponents of browsers such as scripting, add-ons, and cookies[citation needed] are particularly vulnerable ("the confused deputy problem") and also need to be addressed.

Following the principle of defence in depth, a fully patched and correctly configured browser may not be sufficient to ensure that browser-related security issues cannot occur. For example, a rootkit can capture keystrokes while someone logs into a banking website, or carry out a man-in-the-middle attack by modifying network traffic to and from a web browser. DNS hijacking or DNS spoofing may be used to return false positives for mistyped website names, or to subvert search results for popular search engines. Malware such as RSPlug simply modifies a system's configuration to point at rogue DNS servers.

Browsers can use more secure methods of network communication to help prevent some of these attacks:

Perimeter defenses, typically through firewalls and the use of filtering proxy servers that block malicious websites and perform antivirus scans of any file downloads, are commonly implemented as a best practice in large organizations to block malicious network traffic before it reaches a browser.

Plugins and extensions

Although not part of the browser per se, browser plugins and extensions extend the attack surface, exposing vulnerabilities in Adobe Flash Player, Adobe (Acrobat) Reader, Java plugin, and ActiveX that are commonly exploited. Malware may also be implemented as a browser extension, such as a browser helper object in the case of Internet Explorer.[14] Browsers like Google Chrome and Mozilla Firefox can block—or warn users of—insecure plugins.

US-CERT recommends to block Flash using NoScript.[15] Charlie Miller recommended "not to install Flash"[16] at the computer security conference CanSecWest. Several other security experts also recommend to either not install Adobe Flash Player or to block it.[17]

Privacy

Main articles: Internet privacy and Privacy mode

Flash

Main article: Local shared object#Privacy_concerns

An August 2009 study by the Social Science Research Network found that 50% of websites using Flash were also employing flash cookies, yet privacy policies rarely disclosed them, and user controls for privacy preferences were lacking.[18] Most browsers' cache and history suppress or delete functions do not affect Flash Player's writing Local Shared Objects to its own cache, and the user community is much less aware of the existence and function of Flash cookies than HTTP cookies.[19] Thus, users having deleted HTTP cookies and purged browser history files and caches may believe that they have purged all tracking data from their computers when in fact Flash browsing history remains. As well as manual removal, the BetterPrivacy addon for Firefox can remove Flash cookies.[2] Adblock Plus can be used to filter out specific threats[7] and Flashblock can be used to give an option before allowing content on otherwise trusted sites.[20]

Browser hardening

Browsing the Internet as a least-privilege user account (i.e. without administrator privileges) limits the ability of a security exploit in a web browser from compromising the whole operating system.[21]

Internet Explorer 7 added "protected mode", a technology that hardens the browser through the application of a security sandboxing feature of Windows Vista called Mandatory Integrity Control.[22] Google Chrome followed suit in 2011.[23]

Google Chrome provides a sandbox to limit web page access to the operating system.

There are third-party extensions and plugins available for some older browsers and operating systems to harden them. Whitelist-based software such as NoScript can block JavaScript and Adobe Flash which is used for most attacks on privacy, allowing users to choose only sites they know are safe - AdBlock also uses whitelist ad filtering rules subscriptions, though both the software itself and the filtering list maintainers have come under controversy for by-default allowing some sites to pass the pre-set filters.[24]

See also

References

  1. ^ Maone, Giorgio. "NoScript :: Add-ons for Firefox". Mozilla Add-ons. Mozilla Foundation. http://addons.mozilla.org/firefox/add on/noscript.
  2. ^ a b c NC (Social Science Research Network). "BetterPrivacy :: Add-ons for Firefox". Mozilla Add-ons. Mozilla Foundation. http://addons.mozilla.org/firefox/add on/betterprivacy.
  3. ^ Keizer, Greg. Firefox 3.5 Vulnerability Confirmed. Retrieved 19 November 2010.
  4. ^ Messmer, Ellen and NetworkWorld. "Google Chrome Tops 'Dirty Dozen' Vulnerable Apps List". Retrieved 19 November 2010.
  5. ^ Skinner, Carrie-Ann. Opera Plugs "Severe" Browser Hole. Retrieved 19 November 2010.
  6. ^ Bradly, Tony. "It's Time to Finally Drop Internet Explorer 6" . Retrieved 19 November 2010.
  7. ^ a b Palant, Wladimir. "Adblock Plus :: Add-ons for Firefox". Mozilla Add-ons. Mozilla Foundation. http://addons.mozilla.org/firefox/add on/adblock-plus.
  8. ^ "Facebook privacy probed over 'like,' invitations". CBC News. September 23, 2010. Retrieved August 24, 2011. 
  9. ^ Albanesius, Chloe (August 19, 2011). "German Agencies Banned From Using Facebook, 'Like' Button". PC Magazine. Retrieved August 24, 2011. 
  10. ^ McCullagh, Declan (June 2, 2010). "Facebook 'Like' button draws privacy scrutiny". CNET News. Retrieved December 19, 2011. 
  11. ^ Roosendaal, Arnold (November 30, 2010). "Facebook Tracks and Traces Everyone: Like This!". http://ssrn.com/abstract=1717563. Retrieved September 27, 2011.
  12. ^ State of Vermont. "Web Browser Attacks". http://itsecurity.vermont.gov/threats /web_attacks. Retrieved April 11, 2012.
  13. ^ https://www.symantec.com/avcenter/ref erence/windows.rootkit.overview.pdf
  14. ^ "How to Create a Rule That Will Block or Log Browser Helper Objects in Symantec Endpoint Protection". Symantec.com. http://www.symantec.com/business/supp ort/index?page=content&id=TECH949 65. Retrieved 12 April 2012.
  15. ^ "Securing Your Web Browser". Archived from the original on 26 March 2010. http://www.us-cert.gov/reading_room/s ecuring_browser/. Retrieved 2010-03-27.
  16. ^ "Pwn2Own 2010: interview with Charlie Miller". 2010-03-01. http://www.oneitsecurity.it/01/03/201 0/interview-with-charlie-miller-pwn2o wn/. Retrieved 2010-03-27.
  17. ^ "Expert says Adobe Flash policy is risky". 2009-11-12. http://news.cnet.com/8301-27080_3-103 96326-245.html. Retrieved 2010-03-27.
  18. ^ "Soltani, Ashkan, Canty, Shannon, Mayo, Quentin, Thomas, Lauren and Hoofnagle, Chris Jay: Flash Cookies and Privacy". 2009-08-10. http://papers.ssrn.com/sol3/papers.cf m?abstract_id=1446862. Retrieved 2009-08-18.
  19. ^ "Local Shared Objects -- "Flash Cookies"". Electronic Privacy Information Center. 2005-07-21. Archived from the original on 16 April 2010. http://epic.org/privacy/cookies/flash .html. Retrieved 2010-03-08.
  20. ^ Chee, Philip. "Flashblock :: Add-ons for Firefox". Mozilla Add-ons. Mozilla Foundation. http://addons.mozilla.org/firefox/add on/flashblock.
  21. ^ http://technet.microsoft.com/en-us/li brary/cc700846.aspx
  22. ^ Matthew Conover. "Analysis of the Windows Vista Security Model". Symantec Corporation. http://www.symantec.com/avcenter/refe rence/Windows_Vista_Security_Model_An alysis.pdf. Retrieved 2007-10-08.
  23. ^ Google (September 1, 2008). "Google Chrome". http://www.gamesforthebrain.com/googl e-chrome/26. Retrieved September 3, 2008.[dead link]
  24. ^ http://siliconfilter.com/adblock-plus -will-soon-block-fewer-ads-by-default -allow-non-intrusive-ads/
(Sebelumnya) Browser Object ModelBrowser speed test (Berikutnya)