Slashdot Mirror
There Is No Safe Web Browser
Michael writes "David Sheets has up an interesting article on browser security, and I have to agree with his conclusion: no web browser is safe. The article details the recent Netscape fiasco, and touches on the whole Firefox/Internet Explorer debate. From the article: 'So if it sounds as if we're all at the mercy of hackers just looking for some new challenge, that's partially true. As law enforcement officers will tell you, crime finds you if it wants you bad enough, no matter what preventative measures you take. But the vast majority of criminals have an Achilles' heel: They prefer convenience to challenge. For now, it's more convenient for them to pick on Internet Explorer.'"
As is telnetting to port 80 and interpreting the HTML in your head.
While I understand the point that Mr. Sheets is making, however, I disagree with his definition of safe.
The implication of this article stems in the absolutes of security: can it ward off intruders or not. This is a flawed approach, and while seemingly a logical one, denounces another reality of this level of breach: the lion's share of these breaches are not of the most malicious sort (read: that stupid data miner which causes popups, search bars from hell, etc). These kind of easily hackable sections of Internet Explorer are less prevalent in Firefox. Market forces of the sheer user base would dictate that if this were not so, more spyware would have been ported to Firefox by now. 25 million downloads, right? That's a sizable chunk for any malware vendor, or aspiring intruder, to infiltrate.
One must acknowledge the reality of security by statistics alongside security by absolutes.
The Crimson Dragon
I'd say this one is fairly safe...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
David Sheets has up an interesting article on browser security, and I have to agree with his conclusion: no web browser is safe
No program that accepts input is safe. Even some programs that don't accept input aren't safe either. It is the nature of how complex software really is and how little of it we understand.
...at least not one you'd want to use. Sorry people, Linux is not "safe." Mac OS/anything is not "safe." There are a very few OSs that are pretty safe, but the only reason Mac and Linux fans can brag right now is that they're ignoring all the patches, hacks, etc that already exist for their OS of choice.
TW
I think that this author has finally gotten it right. Note the increasing instances of popup ads that are tailored for firefox users etc.
As firefox gains in popularity, expect that the number of exploits aimed towards it will continue to rise.
That being said, the nice thing about firefox (and OSS), is that lots of eyeballs can look at, and fix, the code in a timely manner.
I'd give this article an Obvious -1 simply because it is axiomatic, and everybody should have realized by now that There is no 'safe' web browser. Especially how after it was demonstrated that a Firefox exploit allowed infection of IE when IE itself would have blocked the malware site. Cute!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Perhaps it needed to be said, but it seems to me like this post is a statement of the obvious.
I'm sure I'll be modded down for just posting my blunt thoughts in responst to the post.
Newsflash! There's no such thing as perfect security, who would have thought it? Whether it be through a flaw in the code (which we all try to fix, when they are found), or stupid users running crap they oughtn't.
I for one use Firefox, because it is MUCH more secure than IE. It may not be perfect, but it's by far good enough for regular use.
That's like saying that houses aren't secure, even the new model homes with electronic alarm systems. No crap, but that doesn't mean sell the alarm systems and leave your front door unlocked (like IE).
-Jesse, disliking alarmist poop articles.
Nothing says "unprofessional job" like wrinkles in your duct tape.
When a webbrowser is integrated with the OS, this greatly increases the ways a hacker can damage the system. Hence, while no browser is secure, one can is MORE secure simply because it is NOT woven into the OS. Of course, having updates frequently and being in more active development are good things as well.
=-=-=-=-=-=-=-= - The Celtic - =-=-=-=-=-=-=-=
Don't forget to wear a condom for safe browsing...
Lynx had its fair share of vunerabilities also ....
Browsers can be totaly safe, as much as I hate to say it, IE can be pretty safe too. just follow these rules:
1:USE A FIREWALL
2: update your browser
3:disable ActiveX, any site that uses it is a site you should learn to live without.
4: (the one most often broken) DONT CLICK YES ALL THE TIME, warnings are there for a reason.
5: Dont DL and run STUPID executables
Most Browsers do a decent job of protecting you fron the bad stuff, but NOTHING can protect you from yourself, short of cutting the cable, and if you do that, dont run with scisors
Nobody is perfect => there is no perfectly safe browser, or any other type of application. What app, besides maybe "hello world", has never ever needed a security patch?
v =270
http://www.vrlteam.org/home.asp?vrl=advisories&ad
"It's too bad that stupidity isn't painful." - Anton LaVey
if you don't do proper bounds-checking on your "hello world" array, then you need a security patch...
[ducks and runs...]
I have something in common with Stephen Hawking...
All these "IE vs. Mozilla" or "IE vs. FireFox" or "Netscape vs. IE" or "Opera vs. IE" discussions (pick your poison) are irrelevant.
First off, it amazes me that I have run across paranoid *NIX sys admin friends who are very mindful of what runs as "root" on servers they control but then turn around and operate day to day on Windows desktops as an administrator.
Well, gee dip sh*ts, no wonder you're screwed if rogue code enters your system.
If people used limited accounts and then used impersonation (ever hear of "runas") under Windows, all of these discussions would go the way of the dodo bird.
More to the point they would be TRULY irrelevant. Sure send me to some baddie site, won't do much on my system. Whatever malware sent down the pipe to me can't do anything to change my system (C:\WINDOWS).
This is how I operate, i.e. a limited account desktop. The admin account is just that, for ADMINISTRATION, e.g., setting up new apps.
Amazingly, this approach is "novel" among even tech types since I keep hearig these discussions even on Slashdot.
The principle of least privilege is ANCIENT. Impersonation is part of Windows. Just as it is with other OSes.
The Windows NT kernel has had security since its inception. On the file system, registry as well as synchronization mechanisms such as mutexes, semaphores, etc.
Do you want to know why MS doesn't leverage it? Cost. Plain and simple. If WinAmp (which doesn't work under a limited account) stops working for someone on account of MS automatically setting up limited accounts for people, guess who is likely to start receiving support calls? "But it always worked on Windows 9x!!!"
Yes, it boils down to money. This is NOT a technical problem. MS alongside companies peddling its wares (Dell, Gateway et al) simply do not want to deal with the potential legacy costs of supporting misbehaved apps and/or apps whose designers were myopic and assumed the ability to write to any part of the file system and/or registry.
The great thing is, even with a limited account desktop you can still readily run WinAmp. You just have to know how.
All of this seems like "rocket science" to everyone. And I guess it is, since this discussion keeps rearing its head, namely browser security. The point is, a browser is another app that inherits default credentials from your login. Don't operate as administrator geniuses (sarcasm in case you didn't figure that out).
In the case of WinAmp. I simply defined an admin account that I leverage to run that application on my limited desktop (use the command line "runas" facility or change the properties on the shortcut through the "Advanced" button). I might mention that Shoutcast servers are capable of sending URLs (think JavaScript) that WinAmp will readily execute via IE totally disrespecting your browser choice. So taking another page from what Windows has offered from the start, I changed the ACLs for the IE executable such that my "WinAmp User" has absolutely no rights to the IE executable. Not even the ability to read that file. In this manner I short circuit this potential threat vector. In addition I changed the ACLs on C:\WINDOWS and some other directories so that this "WinAmp User" could only read from these directories.
Here's the moral of the story folks, use a limited account. Plain and simple. End of story. End of this not very worthwhile discussion (among tech people).
Yes I use LINUX, I use Cygwin's X server and readily use LINUX Mozilla complements of the latter. Not just a little, a lot. This IN ADDITION to the fact that I use a limited account for day to day activities.
I have never had spyware or a virus on my system. EVER.
-M
"Market forces of the sheer user base would dictate that if this were not so, more spyware would have been ported to Firefox by now. 25 million downloads, right? That's a sizable chunk for any malware vendor, or aspiring intruder, to infiltrate."
If 1 hack hits 90% of the market, spending more money to get a hack for the rest may not be worth the effort even if Firefox has as many holes as IE. Simple economics.
Vote for Pedro
It's really rather sad that we've given in to the idea that writing secure large-scale software is essentially impossible. It's not. It's only impossible in the paradigm we use.
Here is how security works on every major OS and in every major programming language today:
Here's how it should work:
This is called Capability-Based Security. Hopefully it is easy to see why the latter would make security much easier to manage. If not, you can read this discussion of the concept.
CBS allows you to execute code without trusting it. In Unix, you'd have to create a new user with no permissions to run your code, which is way too much work for most purposes. In CBS, you can set up every single program to have a different set of permissions based on that program's needs. Furthermore, the program can internally manage those capabilities to insure that only a small amount of the program's own code has access to them. Then, as long as that code is secure, the program is secure, but even if it isn't, the worst it can do is abuse the capabilities you explicitly gave it.
How does this relate to web browsers? Well, a web browser really only needs the capability to render to its GUI window, read its install files, and read/write its config and cache. So don't give it any capabilities beyond that. Voila, now it does not matter what malicious program takes over your web browser, because it can't do a thing to your system.
Konqueror mostly, Mozilla on ocassion, Firefox on lesser occasions. I tend to like the swiss army knife abilities of konqueror (ftp, fish, far better tab control than Firefox without installing extensions, overall integration with kde, etc) over Mozilla and Firefox. I guess I pick Mozilla over Firefox because of composer and I'm just used to Mozilla a lot more than Firefox simply due to familiarity and length of use.
What I can state is that since I've been using Konqueror (khtml, like Apple's browser) on Linux, I've never had an issue with spyware or adware. Never. I've never had a problem with security, even though there have been security alerts for konqueror as well as the other browsers. Konqueror makes it simple to surf without images turned on (one button click on top of window without going into drop down boxes to turn images on), makes it simple to surf without javascript turned on (simple and fast two step process to turn it on for a web site, can specify in settings which web sites to turn on javascript by default if needed regularly), and makes it a satisfying all-around experience in using the web.
I help adjust/maintain/bugfix windows for another user and I just can't understand how windows users can possibly put up with the spyware/adware. Taking a look at server logs, I can't believe how many people's browsers are infected with FunWeb, something else "Fun", and other spyware.
If you are a windows user, do yourself a favor and visit a friend's website (after alerting them) and ask them to send you a copy of the log entry from your visit. If your browser is infected with spyware, it just may show up as part of the browser identifier.
The ability of spyware/adware to infect a windows computer is a serious security problem. If you've been infected, you are running a system that is insecure. Please re-read that last sentence. If you've been infected with spyware/adware, you are running a system that is insecure.
I telnetted to port 80 once, and interpreted the HTML in my head.
Unfortunately there was a infinitely recursive Java script function on there.
I'm still not quite myself.
The Internet is full. Go Away!!!
Why would this not happen (or at least happen far less frequently) on OS X? Because none of the services are enabled by default. Samba, AFP, SSH, Apache, everything is off. In order to infect a Mac OS X machine, it would take more social engineering than to infect a Windows machine. A Mac OS X user, to really, really do harm to the entire system, has to be tricked into entering his administrator password, even if he is logged in as an administrator.
Microsoft has acknowledged this flaw. They want to transition users to a model of the lowest possible privilege assignment. If a user doesn't need to be an administrator, he shouldn't be. Unfortunately, as Microsoft has also acknowledged, there is too much poorly-designed Windows software that won't run unless the user is an administrator (even though the software does nothing that requires administrative privileges
In Mac OS X, software installers must acquire administrative rights by getting the user to authenticate as an admin if they want to write to anything that isn't in the current user's space. Apple encourages developers to avoid having the user authenticate authenticate at all costs and to only attempt to gain admin privileges if absolutely necessary. That is smart design, and since it's been that way since 10.0, there aren't very many applications that absolutely require an administrator for no reason.
The FIRST aspect of "security" is limiting the avenues of attack. You sort of touched on that, but I'll say it explicitly.
If FireFox doesn't run ActiveX, then that is one avenue that is NOT available for an attack.
As others have pointed out, lynx is very secure and that is because it completely blocks so many avenues of attack.
Exactly. Now, from TFA:
If they say that, then they are wrong.
Look at the typical junkie on the street. He's be happy to rob a bank. But the bank's security system is beyond his capabilities to SUCCESSFULLY attack.
So he picks easier targets with LOWER payoffs (mugging pedestrians).
Which brings me to the SECOND aspect of security: Build the defenses on the available avenues to defeat the attacks.
Sure, there are criminals out there who can pick any lock and defeat any alarm system. But they are very few and very far between. The odds that you, specifically, will be targetted by one of them is less than the odds of you winning the lottery.
So, contrary to what TFA says, crime will NOT find you if it wants you bad enough. It has to want you bad enough AND be intelligent enough AND be skilled enough.
Sort of. More accurately, they're lazy. The "vast majority" will NOT spend time and effort to learn how to bypass alarm systems. If there's an easier target, they'll go for it.
If your (and your neighbor's) defenses are more than they can bypass, they'll leave the area.
No. While it is more "convenient", that is NOT the reason that IE is subject to all the attacks.
The reason is that the level of skill/intelligence required to successfully attack IE is SO VERY LOW. ANYONE with a bit of programming skill can write an exploit for IE.
Sure, any junkie can get a knife, and a knife is good enough for a mugging. But that knife isn't going to get you very far in a bank robbery.
Again, it isn't about the POTENTIAL targets.
It's all about the AVAILABLE targets in your SKILL RANGE.
Which is why Open Source has such a great security rep. There aren't any market forces or deadlines to deal with. It's ready when it is ready.
This gets back to your statement on statistics and "the absolutes of security".
Sure, my system is vulnerable.
An attacker has to get to Seattle.
And into the office building.
And disable the cameras.
And disable the alarm system.
And break into the office.
And blow the server room door.
And then steal the server.
I'm not losing any sleep.
Is anyone aware of any Safari (OS X web browser) vulnerabilities, especially exploited ones?
I think the fact that OS X throws up an auth login whenever any app tries to access a directory that the current user doesn't own, pretty much makes casual takeover difficult, even by an insecure web browser...