Articles

Securing the web browser

A quick guide to web browser security - why the security of the web browser is important, how it can be exploited and what you can do to improve its security.

The web browser is one of the most heavily used programs on a computer or mobile device today. Because of its ubiquitous nature, it is also an extremely popular target for attackers.

If you think of your computer or mobile device as a house, then the web browser is its window onto the 'scenery' of the Internet - great for enjoying the view, but if left unsecured, someone outside could also use it to gain entry to your device.

Attackers typically target the web browser to either hijack or snoop on the web traffic from it, or exploit it to access the device itself, and the files saved on it.

Attacking a web browser's normal behavior

Targeting the browser

Though the web browser was only originally intended to display text documents, it has since become the de facto tool or framework for interacting with videos, images, forms, games and all the other content the Internet has to offer.

While it is very handy for the user to have a single program handle so many different types of media and functions, it also makes the web browser more complex to secure, as it leaves many 'weak points' that attackers can leverage to their own advantage.

These are the most commonly targeted aspects of a web browser:

  • Connections to online resources (eg, DNS servers, websites)
    To fetch content from a site for viewing, a web browser normally communicates with a DNS server that directs it to the correct site; the site then provides the desired content to the browser. There are various attacks that subvert and intercept this communication. The actual interception can happen at various points, and usually ends in redirecting the browser to a malicious site, where it (and the user) is exposed to unsolicited content, driveby downloads, and exploit kits.
  • Plugins installed on the browser
    Attackers can target vulnerabilities in third-party plugins that users install on their browser to either hijack the browser's web traffic, snoop on it (particularly for sensitive finance-related data) or to perform harmful actions on the device, such as installing malware.
  • Vulnerabilities in the browser itself
    Attackers often leverage flaws in the browser itself to either snoop on sensitive data transmitted via the web browser (for example, when entered in forms on a webpage) or to perform harmful actions on the device.

Hardening the browser

Fortunately, there are relatively simple actions you can take to harden or improve the security of your web browser and make it more difficult for attackers to break through it. Though these steps won't make the web browser 100% impenetrable, they do make it much harder for an attack to succeed.

Update to the latest version

The easiest action you can take to harden your browser is to keep it updated to the latest version. All major browser vendors regularly release updates that offer new functionalities or improvement to existing features. When it comes to security, the most desirable features include:

  • Anti-phishing: Evaluates and filters suspect links in search results or on a website
  • Anti-malware: Scans and blocks suspect files from being downloaded
  • Plugin security: Evaluates and blocks insecure plugins
  • Sandbox: Isolates the web browser's processes so that it doesn't affect the operating system

Some browsers also include an auto-update function, so that you are notified and prompted to update it whenever a new version is released.

Use a limited user account

If possible, only use the web browser from a limited user account that does not have administrator privileges.

By doing so, even if malware is able to get past the web browser and infect the machine, the account's restricted privileges means that the malware has less freedom to manipulate the system.

Customize the security-related settings

Most web browsers allow you to customize the security-related settings. Though the controls differ for each particular browser, a useful rule of thumb to follow is to set all the settings related to the following as high as possible:

  • Block reported attack / fake sites
    If available, enable this feature to prevent accidental access to malicious sites
  • Cookies
    Disable entirely, or only enable if you visit a trusted site that requires them
  • Pop-up windows
    Block from running automatically, enable it only for trusted websites and/or have the browser ask you each time a site wants to open a window
  • JavaScript
    Block from running automatically, enable it only for trusted websites and/or have the browser ask you each time a site wants to run a script
  • Camera / microphone usage
    Block from running automatically, or have the browser ask you each time a website wants to use the camera / microphone
  • Plugins / add-ons
    Block from running automatically, or have the browser ask you each time a website wants to install or run a plugin/add-on
Ditch unused plugins / add plugins that improve security

Disable or uninstall any plugins that aren't regularly used. You can always re-enable or install them again when you need them later, and in the meantime their removal reduces potential points of failure.

You can also install plugins specifically designed to improve the browser's security. There are numerous options available for all browsers, and some that are recommended by security professionals include:

  • NoScript or ScriptSafe - Popular programs that block scripts on websites until the user specifically enables them
  • Flashblock - An add-on that prevents Flash ads from playing until the user specifically allows them
  • HTTPS Everywhere - An add-on jointly created by the Electronic Frontier Foundation and The Tor Project that encrypts your web browsing traffic

And much more.

Additional steps

The actions above focus on tweaking the web browser itself to be as secure as possible. You can also take steps to harden the computer or mobile device, and protect the communications between your machine and others over the Internet. In this way, you can build a multi-layered defense to protect your device and data from misuse or attack. These steps include:

  • Using a reputable antivirus solution, such as F-Secure SAFE, to detect any malware that do make it past the browser
  • Using a virtual private network (VPN), such F-Secure Freedome, to encrypt your browser's communications, to make it harder to attack
  • Using a security-focused search engine, such as F-Secure Search, that provides site security evaluations
  • Turning on the firewall options most operating systems offer

And so on.

Workarounds

In some cases, users either choose not to update or modify their browsers, or are expressly not allowed to do so. Some reasons for not using a newer version or using weaker security settings include:

  • A specific version of a specific web browser - sometimes even with specific settings - is required to run custom web applications; this often applies in business environments
  • Newer versions of the web browser do not contain desired features or functionality
  • Newer versions of the web browser are not compatible with, or break, a desired plugin or program

In such cases, there are still workarounds that you can pursue to improve their own security. These include:

  • Using two web browsers – the first with the required setup for business operations, and the second with the latest updates for all other Internet browsing
  • Installing and using a sandbox that isolates the web browser from the operating system

The most important thing is to find a workaround that is easy to maintain and convenient for you, since that makes it much more likely that you will actively improve the security of your web browser.