Forgot your password?
typodupeerror
Security The Internet IT

'Extreme Security' Web Browsing 267

Posted by Zonk
from the i-think-i'm-paranoid-and-complicated dept.
Sarah S writes "The application security researcher Jeremiah Grossman described to CSO magazine how he takes extreme measure to stay safe online. The simplest tip he uses: two separate browsers: 'One, which he calls the 'promiscuous' browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking. When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it and going back to his insecure browser.'"
This discussion has been archived. No new comments can be posted.

'Extreme Security' Web Browsing

Comments Filter:
  • by TripMaster Monkey (862126) on Friday December 21, 2007 @09:56AM (#21778132)
    How exactly is this strategy going to protect you from a keylogger?
    • by Kranfer (620510) on Friday December 21, 2007 @09:58AM (#21778174) Homepage Journal
      Personally, I don't think it will. A keylogger is a keylogger... I have never seen one attached to a specific browser... usually just logs everything... How can it protect you? The fuzzy pink bunnies in your mind think that you are fooling the bad people on the internet who use myspace and livejournal from getting your data and setting up a fake "you" page only to trick your friends... Or stealing your credit card #'s and buying a nice new BMW all in your name... I could use a BMW though :/
      • by hawkinspeter (831501) on Friday December 21, 2007 @10:10AM (#21778282)
        There are easy methods to defeat a keylogger though most of them rely on the server side. Asking for only certain characters from a password (e.g. characters 1,4,8 & 9); virtual screen keyboards (just mouseclicks are recorded); drop down lists to select characters.
        • Re: (Score:3, Interesting)

          by tepples (727027)

          There are easy methods to defeat a keylogger though most of them rely on the server side [such as] virtual screen keyboards (just mouseclicks are recorded)
          That's useful as an option. But please don't force it on everybody, as not everybody has a useful pointing device. Some of us use a laptop with a slow trackpad. Others are blind, use a screen reader, and have no mouse at all.
          • Re: (Score:2, Interesting)

            by hawkinspeter (831501)
            That's a fair point - it's much more difficult to beef up security if the user is blind. My bank (LloydsTSB) uses the drop down list method to enter three characters from my super-secret password (you need a normal userid and password to get to that screen), so I imagine that screen readers would be able to speak the current letter/number and of course you can use up/down cursor keys to use the drop down list.
        • by Bender0x7D1 (536254) on Friday December 21, 2007 @11:30AM (#21779244)

          Unfortunately, there are also key loggers that will do screen captures as well. If the attackers find they are unable to capture your password after you type "www.mybank.com", they can activate the screen capture capability the next time you visit that site. Sure, it takes more storage, and longer to transmit to the attacker, but if you haven't discovered you have a key logger, you won't notice the image files.

          Once your system has been compromised, you can't assume anything. That's why Knoppix, or any other LiveCD, is a good idea when you want the added security. Since the media is fixed, even if you get compromised, it goes away when you reboot. However, if you are using a LiveCD, don't leave your machine running for days on end, or you could get compromised. Boot up, do what you have to do, and shut down. Sure, that's a bit paranoid, but it isn't paranoia if someone is actually out to get you.

          • Re: (Score:3, Interesting)

            Unfortunately, there are also key loggers that will do screen captures as well. If the attackers find they are unable to capture your password after you type "www.mybank.com", they can activate the screen capture capability the next time you visit that site. Sure, it takes more storage, and longer to transmit to the attacker, but if you haven't discovered you have a key logger, you won't notice the image files.

            Well... they might see your address or account number or whatever, but most password fields are masked with asterisks.

            Once your system has been compromised, you can't assume anything. That's why Knoppix, or any other LiveCD, is a good idea when you want the added security. Since the media is fixed, even if you get compromised, it goes away when you reboot. However, if you are using a LiveCD, don't leave your machine running for days on end, or you could get compromised. Boot up, do what you have to do, and shut down. Sure, that's a bit paranoid, but it isn't paranoia if someone is actually out to get you.

            What about using something like VMWare? Fire it up with your favorite OS. Do your important browsing. Shut it down.

        • by v1 (525388) on Friday December 21, 2007 @03:42PM (#21783094) Homepage Journal
          One system I saw reminds me of this problem. It was a touch screen that displayed a keypad. The screen was at a terminal of sorts, and there was a box drawn around the area in front on the ground in red tape. By company rules only one person was allowed in the box at a time, so if you needed to approach the door in a group, you were required to take turns and queue up in a line outside the box.

          The screen was a fresnel lens type cover, so you had to be standing at the correct orientation to the screen to read it. People behind you any distance, or off to the side even a little, could not see the screen at all. The screen presented a numeric keypad and you had to key in your passcode.

          The trick here is, the keypad was not a standard 0-9 3x3 grid. The numbers were in a 3x3 grid, but were in random places each time you used it. So anyone watching your hands to see what you pressed wasn't getting anything useful besides the length of the passcode. (which was fixed at 10 characters) There was a setting to shuffle the keys on each keypress but that was found to get on people's nerves, so you could presumably figure out if a person had a pair of letters in the code that were the same but that's not too big of a deal.

          Only thing is a screen scraper combined with a keylogger (to log mouse clicks) would still own all of this.
    • Re: (Score:3, Informative)

      by Library Spoff (582122)
      You're correct, it's not.
      Unless the second browser is on a knoppix cd...

    • by ZombieWomble (893157) on Friday December 21, 2007 @10:10AM (#21778280)
      Well, looking at the article itself (I know, I know, heresy), the point is that there are whole classes of attacks (specifically "Cross Site Request Forgery" attacks, the focus of this article) which require significant effort on the part of websites to defend against, but which are trivially defended against by having users make a point of not accessing secure and insecure sites at the same time.

      It's in no way presented as a solution to all security on the internet, but a way of addressing one specific class of problems in a simple manner with a minimum of effort. Unfortunately there's plenty of sufficiently smug people on /. who will continue to repeat this idea in this discussion without even glancing at the article.

    • by ectoraige (123390)
      Sigh... it's called security in layers.

      He is quite clearly talking in the context of XSS and CSRF attacks. His so-called strategy is a reasonable precaution to take in this instance.

      Security is not a go/no-go.
    • by gstoddart (321705)

      How exactly is this strategy going to protect you from a keylogger?

      How is someone going to get a keylogger on my FreeBSD box? :-P

      Cheers
      • by darthflo (1095225)
        # pkg_add -r some_ev0l_keylogger, perhaps?
        • by gstoddart (321705)

          "How is someone going to get a keylogger on my FreeBSD box? :-P"

          # pkg_add -r some_ev0l_keylogger, perhaps?

          Well, if someone actually gains physical access to my machine without me knowing about it, manages to get past the root password, and install that piece of evil software ... it's really too late for me to worry about it now, isn't it? At that point, I have bigger issues.

          On the presumption that there isn't some highly organized, well financed team of people with a strong desire to compromise my system f

    • all security measures are incomplete. because it doesn't protect against everything doesn't mean it doesn't have value as a wise modus operandi

      i have a credit card with a limit of $300 i make online purchases with and small change/ restaurant purchases. that doesn't protect me from someone who gets my driver's license number and my ssn and opens a new card in my name. but it still is a simple easy form of limited protection, just like using this guy using 2 browsers
    • Re: (Score:3, Insightful)

      by Florian Weimer (88405)
      How exactly is this strategy going to protect you from a keylogger?

      It protects against CSRF attacks (at least when done properly), which appears to be the only thing the author cares about. It seems to me that a it's just some security outlet trying to gain publicity by referring to a vulnerability that has been documented for over a decade (see RFC 2109, section 4.3.5).
    • Re: (Score:3, Funny)

      by Jaliyl (1206354)
      I use a similar scheme, I use XP in VMware for shady downloads/torrents and pornsites while my Vista install stays clean.
    • More importantly (Score:3, Insightful)

      by spun (1352)
      How is this going to protect you from sharks with fricken' lasers on their heads? Or even ill-tempered sea bass with lasers on their heads. Oh, wait, this scheme isn't designed with sea bass in mind. Or sharks. Or keyloggers. It's designed to protect against cross site scripting.
    • How exactly is this strategy going to protect you from a keylogger?

      This is not insightful. It shows the PP didn't bother to spend 5 minutes to read the article or the fricking summary.

      But to answer your question, ensure that you surf the web in such a way that you don't install a key logger!

      I have been in the Internet for years, as I am sure mot ppl on /. have been, and I have yet to catch a virus, worm, or keylogger. Nor have I ever been phished or conned out of money. Why? Because I keep my AV u
    • "How exactly is this strategy going to protect you from a keylogger?"

      Use a mouse!!
    • Re: (Score:3, Interesting)

      by Aram Fingal (576822)
      Keyloggers can be installed at a variety of levels. They can be installed at a hardware level if someone has physical access to your machine. In software, they can be installed anywhere from the kernel level to the level of a specific application like IE. One of the most likely kinds of keyloggers for the average user to run into is the spyware/trojan browser redirect variety. These are browser-specific and will only capture what you do in that specific browser. Using separate browsers will protect you
  • thats annoying... (Score:4, Interesting)

    by Kranfer (620510) on Friday December 21, 2007 @09:56AM (#21778136) Homepage Journal
    While I do understand what is being said about using two browsers, me personally, I would find that annoying... I only use FireFox... And opening and closing it to open say Opera or IE... that would get annoying after awhile when I know there are products out there that can help protect your data while doing online banking. Speaking of which, I have been doing that since 2000 when I graduated from highschool and ventured into the real world without any issues... How many of you actually use two separate browsers as described here, I am just wondering...
    • I dont worry too much.
      One bowser and I dont take any special actions before using internet banking.

      I'm fairly confident that nothing will get my details and even if they do, the bank will handle it and I wont be out of pocket.
      Plus I'm using Linux so fat chance a keylogger will get on my system.
    • by symes (835608)

      How many of you actually use two separate browsers as described here, I am just wondering...
      Me. I use IE as my 'promiscuous' browser and Firefox as my safe browser - makes sense to me. But of course, this is not the only means I have of protecting myself but it helps in one important way... It reminds me that I should be careful.
      • by FredFredrickson (1177871) on Friday December 21, 2007 @10:44AM (#21778676) Homepage Journal

        I use IE as my 'promiscuous' browser and Firefox as my safe browser - makes sense to me. But of course, this is not the only means I have of protecting myself but it helps in one important way... It reminds me that I should be careful.
        That makes as much sense as only wearing the bullet proof vest when you're doing non-dangerous activities.

        If anything, I'd do it the other way around. Promiscuous browsing on IE will certainly get you infected (ever open a pron site with IE? I haven't in years, and I don't plan to start now- even if those exploits have been fixed). I explorer is the only browser I can remember that would just let a virus download and install itself while you battled 80 popups. I understand Iexplorer7 is slightly better, but come on- that's what people are targeting, new exploits will come up.

        I do things exactly opposite. I use opera for all my browsing, and nothing gets through. Then I load up internet explorer for my online banking. (my bank requires IE). I see no danger in that, because internet explorer is clean when I do it, thanks to the fact I never use it (and I clean my system regularly) with hijack this and pv and what not.
    • by gstoddart (321705)

      How many of you actually use two separate browsers as described here, I am just wondering...

      I have several levels of this.

      My FreeBSD box is my primary surfing box, and it's set to be fairly closed, but open enough for most things. A second X-windows session has my completely locked down user and browser which won't accept cookies or non-originating images or any form of script is for the shadier parts of the internet -- or I can run the same browser in a separate profile which is a little more permissive.

      A

    • by Pope (17780)
      I usually have two browsers open anyway, IE & FF at work, Safari & FF at home. All have their strenghts & weaknesses, so I switch depending on the task. It's hardly a big deal.
    • Re: (Score:2, Informative)

      by rubato (883366)

      You wouldn't need to use two different browsers, I believe, just two different 'users' on firefox, with two different firefox profiles. It's easy to set up new profiles using firefox's profile manager (under Windows: firefox.exe --profilemanager). This brings along a whole different set of cookies for the different user. (Being logged on to a site as one user would not carry over simultaneously to the other user.)

      Just double-click the desktop icon for the 'secure' user before doing online banking, etc., th

  • It is just common sense. Doesn't everyone do that?
    • Re: (Score:2, Insightful)

      by Explodicle (818405)
      You can have both usability AND security... "common sense" is to use a browser with both all the time.
  • by John Jamieson (890438) on Friday December 21, 2007 @09:57AM (#21778160)
    For more secure browsing and ebanking(at our house), we keep knoppix cd and dvd's beside our computers and boot with that.
  • This is silly! (Score:4, Insightful)

    by RenHoek (101570) on Friday December 21, 2007 @10:00AM (#21778184) Homepage
    The article is silly. I mean most exploits are going to have a trojan running on your machine via exploits, usually with keylogging and other nasty tricks. The only thing you can stop with two browsers is the spread of cookies or activex plugins tied to your browser. The rest are going to be active regardless and will be collecting information no matter what program you are using.

    The only way to be safe is to use an up-to-date browser, (and lets say anything not-IE). And if you have Firefox, look into AdblockPlus, and NoScript. If you don't want cookies to bother you, set them to this-session-only. And lastly, Firefox has a lovely "Clear private data when closing Firefox" option if you want it.
    • by Hatta (162192)
      You forgot to mention running the browser inside a VM.
    • For different reasons from the article, I set up a similar situation for my somewhat (ok, quite) computer illiterate in-laws. One, "promiscuous" browser, firefox running in sandboxie [sandboxie.com], and a second, for doing anything which doesn't work from the first. (Firefox updates, etc.)

      No, it doesn't protect against keyloggers, phishing, or anything else that is a "real" security threat, but my time cleaning out malware/trojans and other junk has gone drastically down. The fact that browsing/search history doesn't s
    • And if you have Firefox, look into AdblockPlus, and NoScript. If you don't want cookies to bother you, set them to this-session-only. And lastly, Firefox has a lovely "Clear private data when closing Firefox" option if you want it.

      But these features (except Adblock) are all extremely annoying for day-to-day use. I don't like having to type data into forms twice because I find that they need javascript to submit the damn thing, and disabling NoScript reloads the page and clears what I typed in. I don't like not being able to navigate a site because some javascript menu, is hidden and I don't even know exists so I can turn NoScript off. I want slashdot and other sites to store my login name as a cookie. I don't really care if small ra

  • That only works under the promiscuous browser brings home a little key logger and shares it with the rest of the apps on the system. Then your little "secure browser" isn't really that secure, now is it?

    Of course, there are ways to protect your machine from such things, like one of those anti-virus / internet security suite... but then using such a thing would also get rid of that requirement of having to use two separate browsers. And we certainly don't want our friends to think we're uncool by only usin
  • Hell, mine's a slut.

    But then, so am I.

  • If you have an 'exteramly secure' browser, why would you want to use an unsecure one? I think a better idea is to find a balance between security and functionality. I know I've heard that somewhere a few million times.
  • by east coast (590680) on Friday December 21, 2007 @10:05AM (#21778242)
    I browse the web via correspondence.

    That's right. I snail mail the institutions for the answers I seek and they write me back after looking it up on the web.

    Even this post was done via correspondence. I mailed this letter to CmdrTaco a couple of days back and let him know to post my thoughts on the matter when the article hit the front page.
  • by emj (15659) on Friday December 21, 2007 @10:06AM (#21778246) Homepage Journal
    Only use a separate computer for banking, shouldn't be connected to any network. Preferably all I/O ports should be fit with epoxy, especially the keyboard.. A large faraday cage over the monitor to prevent Van Eck [slashdot.org] as well.

    But I might be paranoid.
  • I've got two profiles for Firefox: one for everyday stuff, and one for banking. Originally I'd done this because the banks all seemed to require Javascript, and I simply don't leave that on (I hate dancing baloney on websites, and a lot of the time it's just used to serve ads anyhow). Nowadays I use NoScript [noscript.net] to turn on JavaScript when I want to, but I still do all the banking stuff in a separate profile.

    I did read an interview with a security researcher recently (sorry, can't dig up the link) who said t

  • Not much content there...

    Am I living under a rock because I have never heard of Cross Site Request Forgery?

    Is it known by a different name?
    • by gstoddart (321705)

      Not much content there...

      Am I living under a rock because I have never heard of Cross Site Request Forgery?

      Is it known by a different name?

      I've seen it referred to as XSS [wikipedia.org] for "Cross Site Scripting".

      It's a well known class of attack where one web site makes script calls to another site and can expose some vulnerabilities.

      If you do anything web-ish and need to be concerned with security, it's a real issue and fairly well known. The wiki link I provide has some good info.

      Cheers

  • by sh0rtie (455432) on Friday December 21, 2007 @10:09AM (#21778274)
    they are called "zones" [microsoft.com] put sites you trust in "trusted sites" and once you dont in "restricted" you can configure each of the zones (there are 5 but only 4 visible [microsoft.com]) security settings to however paranoid or trusting you are of the sites you visit, each setting is independent eg turn off script on normal internet surfing but only allowing certain sites to use
    • "they are called "zones" .. there are 5 but only 4 visible) .."

      Why don't you just make four more secure and make four be the top number and make that a little more secure .."

      Quote ..

      Nigel: ...the numbers all go to eleven. Look...right across the board.

      Marty: Ahh...oh, I see....

      ..

      Marty: Why don't you just make ten louder and make ten be the top... number... and make that a little louder?

      Nigel: These go to eleven [csoonline.com].
      • by sh0rtie (455432)
        actually the zones are grouped according to location not levels
        "Internet" "Local Intranet" "Trusted Sites" "Restricted Sites " "My Computer" (the hidden one)
        each one can be customised security wise to taste, its just a matter of setting it up (if plugging a leaking dam with fingers is any good)

        but if this person is a "security researcher" then he should really be surfing/investigating potentially badsites through a VM in something other than IE (unless he is looking to get exploited on purpose), i mean rea
    • Re: (Score:3, Insightful)

      by Simon (815)
      What you have just described is totally different and doesn't in anyway address the class of attack (Cross Site Request Forgery, http://en.wikipedia.org/wiki/CSRF [wikipedia.org] ) talked about in the article. It has little to do with scripting or zones, or that one browser is IE or the other is Firefox. Is has everything to do with the fact that two *separate* browsers are used, and that web sites in the untrusted browser can't send requests to the guy's logged in banking session.

      Turning off scripting doesn't guard agains
  • Boot up a live CD (with the MD5 sum confirmed on 2 separate PCs) and only use the live CD's Firefox browser.

    Just hope that no one injected a keylogger onto the live CD and remembered to change the MD5 sum as well...
  • by Janos421 (1136335) on Friday December 21, 2007 @10:12AM (#21778302)
    Well the news is not well reported. This tip aims to protect against "Cross Site Request Forgery (CSRF)--considered one of the most insidious but least appreciated threats in application security". So clearly it does not pretend to address key-logger issues

    For sure, in this context, the tip is quite effective.
  • by eli pabst (948845) on Friday December 21, 2007 @10:14AM (#21778330)
    This is akin to putting a 5 inch thick steel door on the front of your house and unlocked screen door on the back. Once the "weaker" browser is compromised, generally at the very least it's going to allow user-level execution, so an attacker could modify the settings on the "secure" browser or insert a keystroke logger.
  • by Nimey (114278) on Friday December 21, 2007 @10:16AM (#21778362) Homepage Journal
    If you want *secure*, you can boot the anonym.os LiveCD, which, while a bit out-of-date, has some good anonymization tools as well.

    Or, as others have suggested, a dedicated virtual machine which can revert its state at shutdown, so you know there won't be any nasties lurking even in the sandbox.
    • by TubeSteak (669689)

      Or, as others have suggested, a dedicated virtual machine which can revert its state at shutdown, so you know there won't be any nasties lurking even in the sandbox.

      Speaking of sandboxes... http://www.sandboxie.com/ [sandboxie.com]
      It lets you run your windows programs in a sandbox.
      I saw a link to it in some previous /. thread and I have been using it since.
      With a few tweaks to let you easily save files to your favorite places, it's completely transparent.

      I plan on installing it for my other family members. They don't exactly browse malicious sites or open up every crap e-mail link, but they still pick up the occassional piece up malware.

  • Questions that pop up in my mind at this point are:

      - Does using multiple browsers as described actually do anything for security?
      - Why?
      - Is it supposed to be that way?
      - Shouldn't we be secure using just one browser?
    • by caluml (551744)
      And the other point - why use two browsers? On a multi-user operating system, just run them as different users [calum.org].
      I wonder how long it will be until, when you create a user account, a second one (or two or three) is automatically created, and potentially vulnerable apps (browser, mail, etc) configured to run as separate users.
  • Just in case?

    "Better safe than sorry," — murmured the abbess rolling a condom over a candle.

  • by SixFactor (1052912) on Friday December 21, 2007 @10:22AM (#21778418) Journal
    Interesting countermeasure against CSRFs. I can just imagine Mr. Grossman not quite referring to IE (the promiscuous one) vs. Firefox (the safe one).

    Given the above and operating conditions being equal (with use of solid anti-virus and firewall measures), it seems to me that if a well-designed browser was used in the first place, then there would not be a need for a "promiscuous" browser. In fact, wouldn't the use of a "promiscuous" browser increase a user's risk when conducting, uh, questionable activities? End result (cue alarming music here): the box gets compromised, and it doesn't matter if a safe browser was used for banking, etc., something nasty now lives in the box.

    Continuing the FF vs IE model, if FF was designated for promiscuous activity, then the user is arguably better protected. So that leaves us with IE as the "safe" browser? The mind reels.

    I know there are alternatives (Opera, Konq, etc.), but presumably Mr. Grossman is addressing mostly Windows users.
  • The fool is using the same computer to go to both important and random web sites! And he's probably using Windows, too!

    If you care at all about security, you create a separate virtual machine for every web site you visit, and you only go to your banking site with an up-to-the-second-patched copy of lynx running on an obscure OS and platform, like OpenVMS running on DEC Alpha hardware, for example.

    If you *really* care about security, you use telnet on an OS you wrote yourself. And you carefully scrutin

  • by MagicM (85041) on Friday December 21, 2007 @10:27AM (#21778490)
    I do the same thing when I have to go somewhere. I have two cars, one that's reliable, and one rusty piece of crap that's ready to fall apart any minute. When I need to go somewhere important, I take my reliable car so I know I won't die before I get there. When I just need to take a quick trip to the grocery store, I take my junk car and just cross my fingers.
    • Same thing for computing. I use my crappy PC to play a game, but for the good porn, I use my Mac. That way all the malware associated with such sites don't do anything to my 'puter.
  • I use Camino - set to the highest security and to dump history and cache for just two uses: business banking and court filing. As a lawyer I take reasonable steps to protect my clients - nobody can predict every potential criminal act. I use the Mac's Filevault protection on all of my computers and every systems' password is greater than 20 characters.

    It isn't absolute security - but it is a hell of a lot more than most of my colleagues use.
  • This guy is a "Security Researcher"? Let me get this straight. You have 2 browsers, one insecure, one secure. On the insecure you do your daily stuff, on the secure you do your banking. Ok. Say your insecure browser gets compromised due to a vulnerability that is not yet patched or there is no patch for. Some of the browser vulnerabilites allow for full system control. Then what? Your whole system is now FUBAR. So there goes your "secure" browser. 15 year olds have more security sense then this guy.
    • This is not a general technique for protecting against all possible vulnerabilities, it's for protection against cross-site request forgery.

      If a banking site does not use some kind of nonce in each request (or check referrers, or request confirmation, otherwise attempt to prevent this class of attack), then someone could stick <img src="http//bankingsite.example.com/account_management?req=transfer_funds&amt=5.00&target=badguy"> in a web page (say, as the avatar image for some throwaway account
  • Why not just call them IE and Firefox? Why beat around the bush?
  • to simply have a spare computer to do all things secure. A cheap, old computer should do it. Just do format then fresh install of your OS, and only use it for banking, paying bills, etc.
  • by oni (41625) on Friday December 21, 2007 @10:40AM (#21778632) Homepage
    What he's describing is not a way of keeping your computer safe, it's a way of hiding porn from your girlfriend. You use some browser that she's never heard of for all your illicit surfing. Then, she fires up your computer and starts running IE, she looks in your history and sees slashdot and CNN or whatever and doesn't think you're a pervert (which you are).

    It's also a good idea to have "honeypot porn" which is basically, a few very innocuous sites that you vist in IE that you intentionally want her to find - because once she starts looking, she's going to keep looking until she finds something. Best to give her something to find. Let her think you go to maxim.com or something.
  • by ehaggis (879721)
    Lynx - The only way to browse!
  • by jcaplan (56979)
    The question for me is:

    Why do online banking?

    My bank had a poster in the lobby stating that they used "state of the art" security measures to protect their online banking customers. I reflected on the state of the art and wondered why anyone would trust their money with online banking. For me the risk / convenience just doesn't work out. My electronic banking is limited to checking balances and cleared checks by phone. I know my account number and password are transmitted in cleartext (clearbeeps), but acce
  • by (rypto* (641800) *
    Nothing is as secure as your own memory..

    Let us understand the flaws of this guys "grand" idea:-
    1 - There is no as such a absolutely secure browser, there is no stealth mode even if you are on it how are you going to log into an account?.(Every one has holes too;)
    2 - Browse without "Anonymous" proxy and your IP is advertised, i.e.. your system is out in the open..(Like someone mentioned - Keyloggers,trojan.. many many others can evade)
    3 - There are always SBS(Some Bloody Software) trying to open ports for p
  • It sounds like the basic attack is surreptitiously having a web page hit a bank and hoping that you are currently logged in. So why wouldn't simply logging in, doing whatever you need to do, and logging out work just as well as firing up a separate browser? If an attacker convinces my browser to hit my bank, but I'm not logged in, it's a "no harm no foul" situation.
  • Virtual machine (Score:3, Informative)

    by athloi (1075845) on Friday December 21, 2007 @12:10PM (#21779816) Homepage Journal
    VMware player is open source:

    http://www.vmware.com/products/player/ [vmware.com]

    It also has a secure browsing "virtual appliance," or virtual machine with software pre-installed:

    http://www.vmware.com/appliances/directory/browserapp.html [vmware.com]

    The software is open-source.
  • Everyone here knows that 2 browsers in the same box is only secure if both are restrictive...

    A better solution without buying more hardware is use a Linux or FreeBSD live CD for the "secure" browsing.

    A compromise without physically rebooting would be to do your "insecure" browsing under virtualization.

    A further step down is to do your "secure" browsing under virtualization with encrypted volume.

    Any one of the above is a lot more secure than TFA.

Murphy's Law, that brash proletarian restatement of Godel's Theorem. -- Thomas Pynchon, "Gravity's Rainbow"

Working...