'Extreme Security' Web Browsing 267
Sarah S writes "The application security researcher Jeremiah Grossman described to CSO magazine how he takes extreme measure to stay safe online. The simplest tip he uses: two separate browsers: 'One, which he calls the 'promiscuous' browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking. When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it and going back to his insecure browser.'"
Re:Not sure how "secure" this scheme is... (Score:3, Informative)
Unless the second browser is on a knoppix cd...
built into IE since v4 (Score:3, Informative)
Re:thats annoying... (Score:3, Informative)
Mozilla. It's probably an older version by now, but the Mozilla browser used to (possibly still does) have a setting which you could specify that only images from the original page would be loaded -- cuts out quite a few ads.
Given Firefox's pedigree, I'd be willing to bet that about:config has some setting which allows this, but I can't say what it might be. Mayhaps some helpful soul will respond and say what the setting would be.
Cheers
Virtual machine (Score:3, Informative)
http://www.vmware.com/products/player/ [vmware.com]
It also has a secure browsing "virtual appliance," or virtual machine with software pre-installed:
http://www.vmware.com/appliances/directory/browserapp.html [vmware.com]
The software is open-source.
Re:Not sure how "secure" this scheme is... (Score:5, Informative)
What you can do instead of using multiple browsers, is use separate Firefox profiles using MOZ_NO_REMOTE=1. I explain this technique in a blog entry, Using multiple Firefox profiles simultaneously to guard against CSRF attacks [tssci-security.com]
This technique would be almost be equivalent to using multiple browsers, and I don't know why Jeremiah hasn't caught onto it. I and several others have been proposing others do the same for a while now. You can further enhance the security by running different Firefox profiles under different users. I included links to what others like Joanna Rutkowska does on Vista with IE7, Firefox, and Thunderbird.
Re:thats annoying... (Score:2, Informative)
You wouldn't need to use two different browsers, I believe, just two different 'users' on firefox, with two different firefox profiles. It's easy to set up new profiles using firefox's profile manager (under Windows: firefox.exe --profilemanager). This brings along a whole different set of cookies for the different user. (Being logged on to a site as one user would not carry over simultaneously to the other user.)
Just double-click the desktop icon for the 'secure' user before doing online banking, etc., then close that user's firefox session when done.
Of course, this is just aimed at CSRF attacks (discussed by TFA), and doesn't address any of the concerns about keyloggers, etc. expressed in the posts above....
Re:Not sure how "secure" this scheme is... (Score:3, Informative)
Re:thats annoying... (Score:1, Informative)
permissions.default.image
Set to 3 blocks third party images.
Set to 1 to reset to all images.
Re:Not sure how "secure" this scheme is... (Score:3, Informative)