'Extreme Security' Web Browsing 267
Sarah S writes "The application security researcher Jeremiah Grossman described to CSO magazine how he takes extreme measure to stay safe online. The simplest tip he uses: two separate browsers: 'One, which he calls the 'promiscuous' browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking. When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it and going back to his insecure browser.'"
Not sure how "secure" this scheme is... (Score:5, Insightful)
Re:Not sure how "secure" this scheme is... (Score:5, Insightful)
This is silly! (Score:4, Insightful)
The only way to be safe is to use an up-to-date browser, (and lets say anything not-IE). And if you have Firefox, look into AdblockPlus, and NoScript. If you don't want cookies to bother you, set them to this-session-only. And lastly, Firefox has a lovely "Clear private data when closing Firefox" option if you want it.
Re:That's not extreme. (Score:1, Insightful)
Does everyone go deep down into paranoia taking painful and mostly useless security measures ? No.
ArticleSummary.Equals(TFA) = True (Score:2, Insightful)
Am I living under a rock because I have never heard of Cross Site Request Forgery?
Is it known by a different name?
Re:Not sure how "secure" this scheme is... (Score:5, Insightful)
It's in no way presented as a solution to all security on the internet, but a way of addressing one specific class of problems in a simple manner with a minimum of effort. Unfortunately there's plenty of sufficiently smug people on /. who will continue to repeat this idea in this discussion without even glancing at the article.
Re:Not sure how "secure" this scheme is... (Score:5, Insightful)
This news is incomplete (Score:3, Insightful)
For sure, in this context, the tip is quite effective.
Re:That's not extreme. (Score:2, Insightful)
Only as strong as the weakest link (Score:4, Insightful)
Re:Not sure how "secure" this scheme is... (Score:3, Insightful)
It protects against CSRF attacks (at least when done properly), which appears to be the only thing the author cares about. It seems to me that a it's just some security outlet trying to gain publicity by referring to a vulnerability that has been documented for over a decade (see RFC 2109, section 4.3.5).
Trying to Think This Through... (Score:3, Insightful)
Given the above and operating conditions being equal (with use of solid anti-virus and firewall measures), it seems to me that if a well-designed browser was used in the first place, then there would not be a need for a "promiscuous" browser. In fact, wouldn't the use of a "promiscuous" browser increase a user's risk when conducting, uh, questionable activities? End result (cue alarming music here): the box gets compromised, and it doesn't matter if a safe browser was used for banking, etc., something nasty now lives in the box.
Continuing the FF vs IE model, if FF was designated for promiscuous activity, then the user is arguably better protected. So that leaves us with IE as the "safe" browser? The mind reels.
I know there are alternatives (Opera, Konq, etc.), but presumably Mr. Grossman is addressing mostly Windows users.
Dumbest Thing I Have Ever Heard (Score:2, Insightful)
confusing web security with girl-friend security (Score:5, Insightful)
It's also a good idea to have "honeypot porn" which is basically, a few very innocuous sites that you vist in IE that you intentionally want her to find - because once she starts looking, she's going to keep looking until she finds something. Best to give her something to find. Let her think you go to maxim.com or something.
Re:thats annoying... (Score:5, Insightful)
If anything, I'd do it the other way around. Promiscuous browsing on IE will certainly get you infected (ever open a pron site with IE? I haven't in years, and I don't plan to start now- even if those exploits have been fixed). I explorer is the only browser I can remember that would just let a virus download and install itself while you battled 80 popups. I understand Iexplorer7 is slightly better, but come on- that's what people are targeting, new exploits will come up.
I do things exactly opposite. I use opera for all my browsing, and nothing gets through. Then I load up internet explorer for my online banking. (my bank requires IE). I see no danger in that, because internet explorer is clean when I do it, thanks to the fact I never use it (and I clean my system regularly) with hijack this and pv and what not.
Re:Not sure how "secure" this scheme is... (Score:2, Insightful)
On that note though, I do not write my passwords on my monitor, I have them in a small notebook in the drawer! I would rather use completely different passwords for each site and write them down than use the same few passwords across all sites that I need a password for.
Re:Not sure how "secure" this scheme is... (Score:5, Insightful)
Unfortunately, there are also key loggers that will do screen captures as well. If the attackers find they are unable to capture your password after you type "www.mybank.com", they can activate the screen capture capability the next time you visit that site. Sure, it takes more storage, and longer to transmit to the attacker, but if you haven't discovered you have a key logger, you won't notice the image files.
Once your system has been compromised, you can't assume anything. That's why Knoppix, or any other LiveCD, is a good idea when you want the added security. Since the media is fixed, even if you get compromised, it goes away when you reboot. However, if you are using a LiveCD, don't leave your machine running for days on end, or you could get compromised. Boot up, do what you have to do, and shut down. Sure, that's a bit paranoid, but it isn't paranoia if someone is actually out to get you.
Secure Password Manager (Score:2, Insightful)
Let us understand the flaws of this guys "grand" idea:-
1 - There is no as such a absolutely secure browser, there is no stealth mode even if you are on it how are you going to log into an account?.(Every one has holes too;)
2 - Browse without "Anonymous" proxy and your IP is advertised, i.e.. your system is out in the open..(Like someone mentioned - Keyloggers,trojan.. many many others can evade)
3 - There are always SBS(Some Bloody Software) trying to open ports for pirates.
4 - In an era of high bandwidth internet where is the wait to guess what's wrong with a computer.( scan it all )
Now..
Think, why do you have brains?
Can it keep secrets?
Can you trust it?
1- Remember and Type all your passwords & user id's- its tough if you are used to someone else remembering the password for you, its proven good for your brain..
2- Accept cookies from sites you trust ( avoid inter-site tracking cookies )
3- Keep no cache memory
4- Use ssl login whenever possible. (https://mail.google.com/mail/)
5- Use a browser without susceptible addons
6- Hide your WAN IP. ( google "anonymous browsing" )
7- Try to even remember your account numbers ( After a while it dissolves )
Give it a thought.
More importantly (Score:3, Insightful)
Re:confusing web security with girl-friend securit (Score:2, Insightful)
Re:built into IE since v4 (Score:3, Insightful)
Turning off scripting doesn't guard against CSRF either BTW. I wish people would read the bloody article (and understand it!).
--
Simon
Re:Not sure how "secure" this scheme is... (Score:2, Insightful)
Re:confusing web security with girl-friend securit (Score:4, Insightful)