We will be updating the Forum on Tuesday, 19th of March between 09:00 and 11:00 (UTC) (see the time in your time zone). During this time you may experience some downtime. Thanks in advance for your patience. 🙂
The basics of web browser security: an introduction
-
In a series of blog posts, we look into some of the most important aspects of online privacy and security.
Click here to see the full blog post
-
@olgaa said in The basics of web browser security: an introduction:
In a series of blog posts, we look into some of the most important aspects of online privacy and security.
Click here to see the full blog post
Shared on Diaspora and G+
-
Nice.
-
If browser makers actually care about security, then why do they keep adding features that are easy for malicious websites to abuse, with so little thought put into how users will manage these features or how to keep them from being abused?
Let's just take web notifications as an example (I'll link to an article to keep this post shorter):
https://www.bleepingcomputer.com/news/security/forget-email-web-sites-use-notifications-to-spam-your-browser-instead/Aside from the above, there are several other issues with web notifications:
-
Malicious scripts can change the message displayed on the notification (at least in Vivaldi and presumably Chrome as well) that asks users if they want to allow web notifications from that site. I've seen those URL shortening services that display ads and require you to click a "continue" button/link change the notification so that it simply says "Click 'Allow' to continue!".
-
Malicious scripts can delay the loading of page content until Allow or Deny is clicked in the notification, forcing users to interact with the notification before being allowed to even view the website they were visiting. I've even seen legitimate websites (Kayako's cloud-hosted helpdesk/support system for instance) do this.
-
The controls in Chrome for managing web notifications are not easy to find (even with the search they are hidden in subsections that you have to click and manually look through), and since Vivaldi suppresses the Chrome settings page in favor of its own it makes it even more difficult to find them.
-
Chrome (and Vivaldi by proxy since it doesn't have its own setting for this) uses rather strange wording for the option to automatically deny permission for web notifications. Without looking up documentation or tutorials, you wouldn't know that the option denies permission for all websites (from the wording it sounds like it automatically allows all websites to send notifications). Firefox has a simple setting in about:config that is worded clearly and makes sense, however the average user has no idea that about:config is even there or how to use it, and I am not aware of any options in the normal settings in Firefox to disable web notifications.
Keep in mind that there are other examples. There isn't enough room here to list every stupid security decision that browser makers have made, nor is there enough time in a day to compile all of them into a list. Web notifications make a good example because they are currently being actively abused in the real world, and are by far not the only problem.
-
-
Note to self: Re-read before posting next time... There's no "Edit" button...
Edit: However there does appear to be one on the forums, so the most obvious typos in my post are now fixed. Thanks to @lonm for reminding me.
-
@gt500 there is an edit button, it's in the 3 dots menu button on the right of the voting arrows.
-
@ian-coog: It's not available on vivaldi.com (the blog comments), but can be found on the associated forum.vivaldi.net thread.
-
Keeping the Operating System updated & anti malware program updated is part of it also, as is the end user
:knight: -
Why my site info window is different than one on the screenshot in the post?
https://imgur.com/xKrUPpC
All settings open in new tab. But it was like shown several snapshots ago. It was a better solution than now. Maybe there is some setting for reverting this option? -
@solidsnake In latest versions of chromium, the site info box only shows permissions that are requested rather than all of them. As vivaldi doesn't need to use, for example, the camera, that permission isn't shown and uses your default (probably "ask").
Why it always shows flash though, I don't understand.
-
@lonm: Thanks for the explanation. But I don't see javascript for example, and the site uses it. Sometimes i want to disable it, and it would be much more convenient if it would be on this menu rather than in a separate tab.
But if it is a chromium thing, then probably vivaldi team couldn't change that. -
@lonm said:
@ian-coog: It's not available on vivaldi.com (the blog comments), but can be found on the associated forum.vivaldi.net thread.
Correct, there's no edit button on the blog, and I don't frequent the forums enough to have remembered that the comments also show up in a thread there. Thanks for reminding me.
-
Elon Musk deletes Facebook pages for SpaceX and Tesla.
-
@solidsnake You are absolutely right. As far as general users are concerned only showing necessary permissions makes things simpler to understand and so should enhance understanding of privacy and security.
But for power users (whatever that means) it would make more sense to at least have an option to show all.
-
@gt500: Thanks for the feedback. One of the upcoming articles will cover parts of this, at least (changing those settings). There may be a couple of things that could be worded better in the UI, or get restrictions to make them harder to abuse, and we are always happy to look into possible improvements there. Our settings are always being worked on, and we do have plans to add more controls.
then why do they keep adding features that are easy for malicious websites to abuse
When browsers wish to add features, they do get a great deal of effort spent on working out possible vectors they may introduce, and trying to prevent them. Many of us spent a lot of effort in making sure that the permissions implementations would not be a completely open book for websites to abuse. If you are interested, you can help take part in the standardisation processes (such as W3C, whose HTML5 specification does take security implications into account). You may contact the standardisation bodies if you would like to contribute in some way.
delay the loading of page content until Allow or Deny is clicked in the notification, forcing users to interact with the notification before being allowed to even view the website they were visiting.
This is always possible for any page. They can choose to display a blank page, or an error message and claim you have to do [something] in order to make the page work. This is a form of social engineering, and is something the phishing filter is intended to combat (the website would be blacklisted for being malicious).
scripts can change the message displayed on the notification
If you think you can abuse a message from a page which is displayed in the UI, please report this to our bug tracking system, and we will analyse it to determine if it has security implications.
A cursory test does not appear to show the problem you described though; the wording in Vivaldi is hardcoded by the browser, since the method used to ask for permission only accepts a callback function as a parameter. An older WebKit API which allowed strings seems not to be supported in Chromium. I cannot, of course, speak for the other browser vendors - if you think you can abuse their browsers in this way, you should report it to them (most vendors will give you researcher rewards of some kind if you report a security issue without discussing it publicly first).
-
@solidsnake: It's like that, it only shows options that have their defaults defined as Ask or whose default was changed from the browser default. Since JavaScript is unblocked by default it's not shown.
PS: Yeah, I hate that too.
-
@gt500 Re that BP article - i read it last month, but re-read it now via your link to refresh my memory. My reaction both times was... meh.
Either i manage miraculously to somehow avoid all the "bad" sites that misbehave that way, or, my uO & Ghostery or Privacy Badger [i alternate between them] extensions do a great job, coz i never ever experience the described misbehaviour. Meanwhile, on the sites for which i have enabled them, web notifications are a valued & appreciated functional feature for me.
-
@tarquin said in The basics of web browser security: an introduction:
and we do have plans to add more controls
IMHO. Control is the correct word for the context.
-
delay the loading of page content until Allow or Deny is clicked in the notification, forcing users to interact with the notification before being allowed to even view the website they were visiting.
This is always possible for any page. They can choose to display a blank page, or an error message and claim you have to do [something] in order to make the page work.
I apologize if I was not clear enough here, however the point was that scripts have a way to tell if a user has interacted with the notification that asks users for permission to allow web notifications. Scripts should not have access to this sort of information.
If you think you can abuse a message from a page which is displayed in the UI, please report this to our bug tracking system, and we will analyse it to determine if it has security implications.
I will see if I can find you an example.
If you are interested, you can help take part in the standardisation processes (such as W3C, whose HTML5 specification does take security implications into account).
Browser makers can't simply blame standards organizations for poor implementation of features, or for poor security precautions when implementing features. The W3C doesn't write the code for Google Chrome, Vivaldi, or Firefox. The W3C also doesn't make the decisions as to what features each of these browsers will have.
-
@steffie: uBlock Origin will prevent a lot of abuse, and might be why you haven't seen it. It's also possible that you haven't visited the kind of sites that use such scripts.