Browser Safety and Privacy - Next Stage

Any other tech-related topics
Post Reply
Message
Author
Stoik
Posts: 83
Joined: Fri Jan 29, 2016 12:25 pm

Browser Safety and Privacy - Next Stage

#1 Post by Stoik »

I have a strategic thought,
and I would like to get some feedback.

Why are browsers themselves not like firewalls ?
Meaning: a one way street in the flow of information, unless I explicitly give permission otherwise.
Any information that I asked for can come in,
but for any information to go out from my PC - there has to be a popup
asking me for my permission (one off, or permanent).

Currently I am most worried about extensions (Chrome) and web-extensions (FireFox).
When You give them the almost universal permission to "read all the data on the websites you visit",
the extension developer can easily obtain your online banking password, email password (e.g. for Gmail), etc. Scary !
The fact that extension developers have to sign extensions now does not make this any safer.
What is to prevent a crook from signing an extension with "Victor Bakayev" today (a fake identity),
and when he is caught stealing banking passwords he can just resubmit a similar extension under another fake name.

The "firewall principle" from above would change this in the following way:
the extension can use the processing power of your PC to do it's work (e.g. AdBlock to clean up the page),
but the extension is prevented from sending any information out - unless You permit it.
There would be a new permission to "send information out".

Bad guys are already using Your processing power, and then sending themselves the results, example - crypto mining.
The "firewall principle" from the paragraph above would prevent this.

Oh, You will say, but a web site needs to read it's cookies from Your PC to cater to Your preferences, e.g. when shopping on Amazon.
Well, let them save these few bits of information on their servers, they save so much information on You anyways !

By the way, slightly related and slightly unrelated: have You noticed what I security disaster these online "portable installers" can be. Most of them are used by disreputable sites, but even our saintly John Haller is sometimes forced to use them to respect the owners rights, e.g. (I think) Process Explorer and AutoRuns. Off course, I trust John Haller and SysInternals, no problem. But You have to open the firewall to the installer to download and install whatever it wants. In contrast, when You download a complete portable installer package (program + portablizer), like John Haller's FireFox, You can first virus-scan it with Your engine or two (I use Windows Defender and WinClam portable), then if in doubt I can VirusTotal scan it online with 66 engines, and only then will I choose to proceed.

What do You guys (and girls) think about the "browser as firewall" issue,
and the extension permission "to send information out". Is this feasible ?
If it is, how (where) can we contact the strategic gurus of FireFox or Chromium ?

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Browser Safety and Privacy - Next Stage

#2 Post by SYSTEM »

No, it's not really feasible.

HTTP is a two-way protocol. A client requests a page and the server responds with it. Any add-on that needs to perform HTTP requests (e.g. an ad blocker, in order to download filter lists) can stuff anything it wants into the requests.

It might be good if ability to send/receive data from the Internet was a separate extension permission, but I think nearly all extensions need it.
My YouTube channel | Release date of my 13th playlist: August 24, 2020

Stoik
Posts: 83
Joined: Fri Jan 29, 2016 12:25 pm

Re: Browser Safety and Privacy - Next Stage

#3 Post by Stoik »

System from Helsinki, thank You.

I get it: an adblocker makes a "request" to download filter lists (data going out)
and it can put anything it likes in that "message" (including your private information).

Then, where do You see the next strategic improvement ?
That, perhaps, the most popular extensions are included in the browser as new features ?
Anything signed by Mozilla should not be a security risk.

User avatar
SYSTEM
Posts: 2041
Joined: Sat Jul 31, 2010 1:19 am
Location: Helsinki, Finland

Re: Browser Safety and Privacy - Next Stage

#4 Post by SYSTEM »

Browsers implementing features natively instead of using third-party extensions would be good, indeed.

Native adblockers are unlikely, though. With the exception of Apple and Microsoft, browser developers get their money from ads. (In particular, search engines such as Google and Yahoo pay Mozilla for searches.) An adblocker would be against their own best interests.
My YouTube channel | Release date of my 13th playlist: August 24, 2020

Stoik
Posts: 83
Joined: Fri Jan 29, 2016 12:25 pm

Re: Browser Safety and Privacy - Next Stage

#5 Post by Stoik »

System,

When You put it like that about the economic interests of the browser developers, and consider the logical next step or two (the "consequence"), then it is in the best interest of the browsers to be very "leaky" with Your information. Just find buyers, and the industry will love and endorse the most leaky browsers.

It is like princess Dianna's butler, who is collecting all the information on her and selling it to the best paying tabloids. He pretends to be working for her, but is actually working for his own profit. Certainly a conflict of interests, I would say. The butler loves it, but does she want such a butler ?

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Browser Safety and Privacy - Next Stage

#6 Post by webfork »

Two problems here: one is that you're talking about both privacy and security, which are certainly connected but definitely in different camps. For example, it's possible to be extremely secure and have terrible privacy.

One concept in security that might be instructive is that as you add more features, you increase complexity. Complexity makes security more difficult. You could make a browser that was extremely secure and effective at resisting tracking, wasting energy on crypto mining, etc. but nobody would use it unless it has all the features.

Blackberry for example was a much more secure mobile device, but they couldn't keep up with new stuff on competing platforms. Now they've all but disappeared, adopting Android with a few software tweaks.

Ultimately it's a balance between features and security. There are probably better examples but Firefox ESR is one that has a slower release cycle and improved stability for organizations https://www.mozilla.org/en-US/firefox/organizations/ It doesn't have bleeding-edge features, but it's also not subject to many of the security issues that affect standard Firefox. It will work with most websites but doesn't do all the cutting edge stuff.

Stoik
Posts: 83
Joined: Fri Jan 29, 2016 12:25 pm

Re: Browser Safety and Privacy - Next Stage

#7 Post by Stoik »

Dear WebFork,

You are right: security and privacy are - more often than not - not the same thing.
But in case of online banking: no privacy (someone can read my password) = no security !

For most of my browsing, I do not care if someone is watching over my shoulder.
For example, portablefreeware.com is a public place, and there is no expectation of privacy.
But for online banking and a few similar things (e.g. licence renewals), privacy matters.

This is how I handle my online banking:
I have two portable copies of FireFox on my PC,
one without any extensions (= more security), one loaded with extensions (= more function).
The more secure version I use only for banking and certain license renewals, etc,
the more functional version I use for everything else.

My other very functional browser is portable Cent Browser (a Chinese Chromium variation) loaded with extensions,
but I do not dare use it's extension-free version for banking
since I am not sure that I can trust the anonymous Chinese closed-source programmers,
while I feel a bit more comfortable with the open-source Mozilla.

How do You clever people (WebFork, System, etc) handle Your online banking ?
Is there any further privacy and security advice that You can give to the rest of us ?

Thanks !

User avatar
Midas
Posts: 6710
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Browser Safety and Privacy - Next Stage

#8 Post by Midas »

For years I have been wanting to setup some kind of sandboxed portable web browser where all outgoing communication would be monitored and tweakable. But, alas... :(

User avatar
lintalist
Posts: 434
Joined: Sat Apr 19, 2014 12:52 am
Contact:

Re: Browser Safety and Privacy - Next Stage

#9 Post by lintalist »

Just a thought: you could boot from a (lightweight) Linux live-distro CD/USB, that way even if your current system is compromised they won't be able to see your banking stuff as you run a different OS which doesn't access the HDD - Many distros will have Firefox included already and its fairly quick to update. Just be sure to update the distro regularly so you have a clean/safe environment. I have an older PC with no HDD (it died) but I boot from a LiveCD which I update regularly -that way I'm fairly certain no spyware/whatever is "watching".

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Browser Safety and Privacy - Next Stage

#10 Post by webfork »

It only occurred to me recently, but you might want to look into NoScript for Firefox.
Stoik wrote:How do you handle your online banking ?
For critical operations, I use Firefox with some trusted security plugins ala HTTPS Everywhere and Privacy Badger.

Post Reply