It is currently Mon Oct 16, 2017 2:01 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: Browser Safety and Privacy - Next Stage
PostPosted: Tue Oct 10, 2017 2:22 am 
Offline

Joined: Fri Jan 29, 2016 12:25 pm
Posts: 57
I have a strategic thought,
and I would like to get some feedback.

Why are browsers themselves not like firewalls ?
Meaning: a one way street in the flow of information, unless I explicitly give permission otherwise.
Any information that I asked for can come in,
but for any information to go out from my PC - there has to be a popup
asking me for my permission (one off, or permanent).

Currently I am most worried about extensions (Chrome) and web-extensions (FireFox).
When You give them the almost universal permission to "read all the data on the websites you visit",
the extension developer can easily obtain your online banking password, email password (e.g. for Gmail), etc. Scary !
The fact that extension developers have to sign extensions now does not make this any safer.
What is to prevent a crook from signing an extension with "Victor Bakayev" today (a fake identity),
and when he is caught stealing banking passwords he can just resubmit a similar extension under another fake name.

The "firewall principle" from above would change this in the following way:
the extension can use the processing power of your PC to do it's work (e.g. AdBlock to clean up the page),
but the extension is prevented from sending any information out - unless You permit it.
There would be a new permission to "send information out".

Bad guys are already using Your processing power, and then sending themselves the results, example - crypto mining.
The "firewall principle" from the paragraph above would prevent this.

Oh, You will say, but a web site needs to read it's cookies from Your PC to cater to Your preferences, e.g. when shopping on Amazon.
Well, let them save these few bits of information on their servers, they save so much information on You anyways !

By the way, slightly related and slightly unrelated: have You noticed what I security disaster these online "portable installers" can be. Most of them are used by disreputable sites, but even our saintly John Haller is sometimes forced to use them to respect the owners rights, e.g. (I think) Process Explorer and AutoRuns. Off course, I trust John Haller and SysInternals, no problem. But You have to open the firewall to the installer to download and install whatever it wants. In contrast, when You download a complete portable installer package (program + portablizer), like John Haller's FireFox, You can first virus-scan it with Your engine or two (I use Windows Defender and WinClam portable), then if in doubt I can VirusTotal scan it online with 66 engines, and only then will I choose to proceed.

What do You guys (and girls) think about the "browser as firewall" issue,
and the extension permission "to send information out". Is this feasible ?
If it is, how (where) can we contact the strategic gurus of FireFox or Chromium ?


Top
 Profile  
 
 Post subject: Re: Browser Safety and Privacy - Next Stage
PostPosted: Tue Oct 10, 2017 3:18 am 
Offline
User avatar

Joined: Sat Jul 31, 2010 1:19 am
Posts: 1703
Location: Helsinki, Finland
No, it's not really feasible.

HTTP is a two-way protocol. A client requests a page and the server responds with it. Any add-on that needs to perform HTTP requests (e.g. an ad blocker, in order to download filter lists) can stuff anything it wants into the requests.

It might be good if ability to send/receive data from the Internet was a separate extension permission, but I think nearly all extensions need it.

_________________
My YouTube channel | Release date of my tenth playlist: January 16, 2017


Top
 Profile  
 
 Post subject: Re: Browser Safety and Privacy - Next Stage
PostPosted: Tue Oct 10, 2017 3:33 am 
Offline

Joined: Fri Jan 29, 2016 12:25 pm
Posts: 57
System from Helsinki, thank You.

I get it: an adblocker makes a "request" to download filter lists (data going out)
and it can put anything it likes in that "message" (including your private information).

Then, where do You see the next strategic improvement ?
That, perhaps, the most popular extensions are included in the browser as new features ?
Anything signed by Mozilla should not be a security risk.


Top
 Profile  
 
 Post subject: Re: Browser Safety and Privacy - Next Stage
PostPosted: Tue Oct 10, 2017 3:38 am 
Offline
User avatar

Joined: Sat Jul 31, 2010 1:19 am
Posts: 1703
Location: Helsinki, Finland
Browsers implementing features natively instead of using third-party extensions would be good, indeed.

Native adblockers are unlikely, though. With the exception of Apple and Microsoft, browser developers get their money from ads. (In particular, search engines such as Google and Yahoo pay Mozilla for searches.) An adblocker would be against their own best interests.

_________________
My YouTube channel | Release date of my tenth playlist: January 16, 2017


Top
 Profile  
 
 Post subject: Re: Browser Safety and Privacy - Next Stage
PostPosted: Tue Oct 10, 2017 6:55 am 
Offline

Joined: Fri Jan 29, 2016 12:25 pm
Posts: 57
System,

When You put it like that about the economic interests of the browser developers, and consider the logical next step or two (the "consequence"), then it is in the best interest of the browsers to be very "leaky" with Your information. Just find buyers, and the industry will love and endorse the most leaky browsers.

It is like princess Dianna's butler, who is collecting all the information on her and selling it to the best paying tabloids. He pretends to be working for her, but is actually working for his own profit. Certainly a conflict of interests, I would say. The butler loves it, but does she want such a butler ?


Top
 Profile  
 
 Post subject: Re: Browser Safety and Privacy - Next Stage
PostPosted: Tue Oct 10, 2017 6:12 pm 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7273
Location: US, Texas
Two problems here: one is that you're talking about both privacy and security, which are certainly connected but definitely in different camps. For example, it's possible to be extremely secure and have terrible privacy.

One concept in security that might be instructive is that as you add more features, you increase complexity. Complexity makes security more difficult. You could make a browser that was extremely secure and effective at resisting tracking, wasting energy on crypto mining, etc. but nobody would use it unless it has all the features.

Blackberry for example was a much more secure mobile device, but they couldn't keep up with new stuff on competing platforms. Now they've all but disappeared, adopting Android with a few software tweaks.

Ultimately it's a balance between features and security. There are probably better examples but Firefox ESR is one that has a slower release cycle and improved stability for organizations https://www.mozilla.org/en-US/firefox/organizations/ It doesn't have bleeding-edge features, but it's also not subject to many of the security issues that affect standard Firefox. It will work with most websites but doesn't do all the cutting edge stuff.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Top
 Profile  
 
 Post subject: Re: Browser Safety and Privacy - Next Stage
PostPosted: Wed Oct 11, 2017 9:10 am 
Offline

Joined: Fri Jan 29, 2016 12:25 pm
Posts: 57
Dear WebFork,

You are right: security and privacy are - more often than not - not the same thing.
But in case of online banking: no privacy (someone can read my password) = no security !

For most of my browsing, I do not care if someone is watching over my shoulder.
For example, portablefreeware.com is a public place, and there is no expectation of privacy.
But for online banking and a few similar things (e.g. licence renewals), privacy matters.

This is how I handle my online banking:
I have two portable copies of FireFox on my PC,
one without any extensions (= more security), one loaded with extensions (= more function).
The more secure version I use only for banking and certain license renewals, etc,
the more functional version I use for everything else.

My other very functional browser is portable Cent Browser (a Chinese Chromium variation) loaded with extensions,
but I do not dare use it's extension-free version for banking
since I am not sure that I can trust the anonymous Chinese closed-source programmers,
while I feel a bit more comfortable with the open-source Mozilla.

How do You clever people (WebFork, System, etc) handle Your online banking ?
Is there any further privacy and security advice that You can give to the rest of us ?

Thanks !


Top
 Profile  
 
 Post subject: Re: Browser Safety and Privacy - Next Stage
PostPosted: Thu Oct 12, 2017 3:29 am 
Offline
User avatar

Joined: Mon Dec 07, 2009 7:09 am
Posts: 3824
Location: Sol3
For years I have been wanting to setup some kind of sandboxed portable web browser where all outgoing communication would be monitored and tweakable. But, alas... :(


Top
 Profile  
 
 Post subject: Re: Browser Safety and Privacy - Next Stage
PostPosted: Thu Oct 12, 2017 10:03 am 
Offline
User avatar

Joined: Sat Apr 19, 2014 12:52 am
Posts: 162
Just a thought: you could boot from a (lightweight) Linux live-distro CD/USB, that way even if your current system is compromised they won't be able to see your banking stuff as you run a different OS which doesn't access the HDD - Many distros will have Firefox included already and its fairly quick to update. Just be sure to update the distro regularly so you have a clean/safe environment. I have an older PC with no HDD (it died) but I boot from a LiveCD which I update regularly -that way I'm fairly certain no spyware/whatever is "watching".

_________________
Lintalist @ TPFC - Lintalist website - Source @ GH


Top
 Profile  
 
 Post subject: Re: Browser Safety and Privacy - Next Stage
PostPosted: Thu Oct 12, 2017 1:05 pm 
Offline
User avatar

Joined: Wed Apr 11, 2007 8:06 pm
Posts: 7273
Location: US, Texas
It only occurred to me recently, but you might want to look into NoScript for Firefox.

Stoik wrote:
How do you handle your online banking ?

For critical operations, I use Firefox with some trusted security plugins ala HTTPS Everywhere and Privacy Badger.

_________________
Supporting Net Neutrality - BattleForTheNet | Why this matters | More from EFF.org


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group