Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Extreme Security' Web Browsing

Posted by Zonk on from the i-think-i'm-paranoid-and-complicated dept.

Sarah S writes "The application security researcher Jeremiah Grossman described to CSO magazine how he takes extreme measure to stay safe online. The simplest tip he uses: two separate browsers: 'One, which he calls the 'promiscuous' browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking. When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it and going back to his insecure browser.'"

16 of 267 comments (clear)

  1. Not sure how "secure" this scheme is... by TripMaster+Monkey · · Score: 5, Insightful

    How exactly is this strategy going to protect you from a keylogger?

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Not sure how "secure" this scheme is... by Kranfer · · Score: 4, Insightful

      Personally, I don't think it will. A keylogger is a keylogger... I have never seen one attached to a specific browser... usually just logs everything... How can it protect you? The fuzzy pink bunnies in your mind think that you are fooling the bad people on the internet who use myspace and livejournal from getting your data and setting up a fake "you" page only to trick your friends... Or stealing your credit card #'s and buying a nice new BMW all in your name... I could use a BMW though :/

      --
      -- Josh
      "Whoopie! Man, that may have been a small one for Neil, but that's a long one for me!" - Pete Conrad
    2. Re:Not sure how "secure" this scheme is... by Anonymous Coward · · Score: 5, Funny

      Knoppix...what version of Windows is this knoppix thing? I don't understand...

    3. Re:Not sure how "secure" this scheme is... by darthflo · · Score: 4, Interesting

      That'd help.
      Unless somebody really wants your data

    4. Re:Not sure how "secure" this scheme is... by ZombieWomble · · Score: 5, Insightful
      Well, looking at the article itself (I know, I know, heresy), the point is that there are whole classes of attacks (specifically "Cross Site Request Forgery" attacks, the focus of this article) which require significant effort on the part of websites to defend against, but which are trivially defended against by having users make a point of not accessing secure and insecure sites at the same time.

      It's in no way presented as a solution to all security on the internet, but a way of addressing one specific class of problems in a simple manner with a minimum of effort. Unfortunately there's plenty of sufficiently smug people on /. who will continue to repeat this idea in this discussion without even glancing at the article.

    5. Re:Not sure how "secure" this scheme is... by hawkinspeter · · Score: 5, Insightful

      There are easy methods to defeat a keylogger though most of them rely on the server side. Asking for only certain characters from a password (e.g. characters 1,4,8 & 9); virtual screen keyboards (just mouseclicks are recorded); drop down lists to select characters.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    6. Re:Not sure how "secure" this scheme is... by pyite · · Score: 5, Interesting

      This will just cause people to write down their passwords.

      And what, exactly, is wrong with this? Bruce Schneier offers the following wisdom:

      I write my passwords down. There's this rampant myth that you shouldn't write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet.

      --

      "Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman

    7. Re:Not sure how "secure" this scheme is... by geminidomino · · Score: 5, Funny

      why even bother with a "promiscuous" browser at all? I prefer my security to be 100% at least 100% of the time. Translation: My computer is on the top shelf of my closet, the keyboard is stored off-site, and the power cord has been cut into 8 seperate pieces, hidden in the 8 underworld dungeons spread across Hyrule.
    8. Re:Not sure how "secure" this scheme is... by Bender0x7D1 · · Score: 4, Insightful

      Unfortunately, there are also key loggers that will do screen captures as well. If the attackers find they are unable to capture your password after you type "www.mybank.com", they can activate the screen capture capability the next time you visit that site. Sure, it takes more storage, and longer to transmit to the attacker, but if you haven't discovered you have a key logger, you won't notice the image files.

      Once your system has been compromised, you can't assume anything. That's why Knoppix, or any other LiveCD, is a good idea when you want the added security. Since the media is fixed, even if you get compromised, it goes away when you reboot. However, if you are using a LiveCD, don't leave your machine running for days on end, or you could get compromised. Boot up, do what you have to do, and shut down. Sure, that's a bit paranoid, but it isn't paranoia if someone is actually out to get you.

      --
      Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
    9. Re:Not sure how "secure" this scheme is... by moonbender · · Score: 4, Funny

      Yes but then again Bruce Schneier's password has so much entropy, that gzipping it results in a stream sixty four times as long. And yet he can type it with a single roundhouse kick to the keyboard.

      --
      Switch back to Slashdot's D1 system.
    10. Re:Not sure how "secure" this scheme is... by m-wielgo · · Score: 5, Informative

      What you can do instead of using multiple browsers, is use separate Firefox profiles using MOZ_NO_REMOTE=1. I explain this technique in a blog entry, Using multiple Firefox profiles simultaneously to guard against CSRF attacks

      This technique would be almost be equivalent to using multiple browsers, and I don't know why Jeremiah hasn't caught onto it. I and several others have been proposing others do the same for a while now. You can further enhance the security by running different Firefox profiles under different users. I included links to what others like Joanna Rutkowska does on Vista with IE7, Firefox, and Thunderbird.

  2. That's nothing by east+coast · · Score: 5, Funny

    I browse the web via correspondence.

    That's right. I snail mail the institutions for the answers I seek and they write me back after looking it up on the web.

    Even this post was done via correspondence. I mailed this letter to CmdrTaco a couple of days back and let him know to post my thoughts on the matter when the article hit the front page.

    --
    Dedicated Cthulhu Cultist since 4523 BC.
    1. Re:That's nothing by polar+red · · Score: 5, Funny

      Doesn't protect you from the man-in-the-middle attack though ...

      --
      Yes, I'm left. You have a problem with that?
  3. 'Extreme Safety' driving by MagicM · · Score: 5, Funny

    I do the same thing when I have to go somewhere. I have two cars, one that's reliable, and one rusty piece of crap that's ready to fall apart any minute. When I need to go somewhere important, I take my reliable car so I know I won't die before I get there. When I just need to take a quick trip to the grocery store, I take my junk car and just cross my fingers.

  4. confusing web security with girl-friend security by oni · · Score: 5, Insightful

    What he's describing is not a way of keeping your computer safe, it's a way of hiding porn from your girlfriend. You use some browser that she's never heard of for all your illicit surfing. Then, she fires up your computer and starts running IE, she looks in your history and sees slashdot and CNN or whatever and doesn't think you're a pervert (which you are).

    It's also a good idea to have "honeypot porn" which is basically, a few very innocuous sites that you vist in IE that you intentionally want her to find - because once she starts looking, she's going to keep looking until she finds something. Best to give her something to find. Let her think you go to maxim.com or something.

  5. Re:thats annoying... by FredFredrickson · · Score: 5, Insightful

    I use IE as my 'promiscuous' browser and Firefox as my safe browser - makes sense to me. But of course, this is not the only means I have of protecting myself but it helps in one important way... It reminds me that I should be careful. That makes as much sense as only wearing the bullet proof vest when you're doing non-dangerous activities.

    If anything, I'd do it the other way around. Promiscuous browsing on IE will certainly get you infected (ever open a pron site with IE? I haven't in years, and I don't plan to start now- even if those exploits have been fixed). I explorer is the only browser I can remember that would just let a virus download and install itself while you battled 80 popups. I understand Iexplorer7 is slightly better, but come on- that's what people are targeting, new exploits will come up.

    I do things exactly opposite. I use opera for all my browsing, and nothing gets through. Then I load up internet explorer for my online banking. (my bank requires IE). I see no danger in that, because internet explorer is clean when I do it, thanks to the fact I never use it (and I clean my system regularly) with hijack this and pv and what not.
    --
    Belief? Hope? Preference?The Existential Vortex