Browser Safety and Privacy - Next Stage
Posted: Tue Oct 10, 2017 2:22 am
I have a strategic thought,
and I would like to get some feedback.
Why are browsers themselves not like firewalls ?
Meaning: a one way street in the flow of information, unless I explicitly give permission otherwise.
Any information that I asked for can come in,
but for any information to go out from my PC - there has to be a popup
asking me for my permission (one off, or permanent).
Currently I am most worried about extensions (Chrome) and web-extensions (FireFox).
When You give them the almost universal permission to "read all the data on the websites you visit",
the extension developer can easily obtain your online banking password, email password (e.g. for Gmail), etc. Scary !
The fact that extension developers have to sign extensions now does not make this any safer.
What is to prevent a crook from signing an extension with "Victor Bakayev" today (a fake identity),
and when he is caught stealing banking passwords he can just resubmit a similar extension under another fake name.
The "firewall principle" from above would change this in the following way:
the extension can use the processing power of your PC to do it's work (e.g. AdBlock to clean up the page),
but the extension is prevented from sending any information out - unless You permit it.
There would be a new permission to "send information out".
Bad guys are already using Your processing power, and then sending themselves the results, example - crypto mining.
The "firewall principle" from the paragraph above would prevent this.
Oh, You will say, but a web site needs to read it's cookies from Your PC to cater to Your preferences, e.g. when shopping on Amazon.
Well, let them save these few bits of information on their servers, they save so much information on You anyways !
By the way, slightly related and slightly unrelated: have You noticed what I security disaster these online "portable installers" can be. Most of them are used by disreputable sites, but even our saintly John Haller is sometimes forced to use them to respect the owners rights, e.g. (I think) Process Explorer and AutoRuns. Off course, I trust John Haller and SysInternals, no problem. But You have to open the firewall to the installer to download and install whatever it wants. In contrast, when You download a complete portable installer package (program + portablizer), like John Haller's FireFox, You can first virus-scan it with Your engine or two (I use Windows Defender and WinClam portable), then if in doubt I can VirusTotal scan it online with 66 engines, and only then will I choose to proceed.
What do You guys (and girls) think about the "browser as firewall" issue,
and the extension permission "to send information out". Is this feasible ?
If it is, how (where) can we contact the strategic gurus of FireFox or Chromium ?
and I would like to get some feedback.
Why are browsers themselves not like firewalls ?
Meaning: a one way street in the flow of information, unless I explicitly give permission otherwise.
Any information that I asked for can come in,
but for any information to go out from my PC - there has to be a popup
asking me for my permission (one off, or permanent).
Currently I am most worried about extensions (Chrome) and web-extensions (FireFox).
When You give them the almost universal permission to "read all the data on the websites you visit",
the extension developer can easily obtain your online banking password, email password (e.g. for Gmail), etc. Scary !
The fact that extension developers have to sign extensions now does not make this any safer.
What is to prevent a crook from signing an extension with "Victor Bakayev" today (a fake identity),
and when he is caught stealing banking passwords he can just resubmit a similar extension under another fake name.
The "firewall principle" from above would change this in the following way:
the extension can use the processing power of your PC to do it's work (e.g. AdBlock to clean up the page),
but the extension is prevented from sending any information out - unless You permit it.
There would be a new permission to "send information out".
Bad guys are already using Your processing power, and then sending themselves the results, example - crypto mining.
The "firewall principle" from the paragraph above would prevent this.
Oh, You will say, but a web site needs to read it's cookies from Your PC to cater to Your preferences, e.g. when shopping on Amazon.
Well, let them save these few bits of information on their servers, they save so much information on You anyways !
By the way, slightly related and slightly unrelated: have You noticed what I security disaster these online "portable installers" can be. Most of them are used by disreputable sites, but even our saintly John Haller is sometimes forced to use them to respect the owners rights, e.g. (I think) Process Explorer and AutoRuns. Off course, I trust John Haller and SysInternals, no problem. But You have to open the firewall to the installer to download and install whatever it wants. In contrast, when You download a complete portable installer package (program + portablizer), like John Haller's FireFox, You can first virus-scan it with Your engine or two (I use Windows Defender and WinClam portable), then if in doubt I can VirusTotal scan it online with 66 engines, and only then will I choose to proceed.
What do You guys (and girls) think about the "browser as firewall" issue,
and the extension permission "to send information out". Is this feasible ?
If it is, how (where) can we contact the strategic gurus of FireFox or Chromium ?