Super-safe Web browsing

As a security analyst and researcher, I often find myself exploring some of the darker corners of the Internet. In the course of staying current on security issues, I frequently must browse the sorts of Web sites no average person should go anywhere near; I'm also far more likely to be targeted in an attack. That's forced me to develop a somewhat extreme approach to safer surfing.

Understand the risks

Web browser attacks fall into two general categories. The first type target your browser. They include:

  • Cross-site scripting (XSS), in which an attacker illicitly inserts malicious code—which your browser automatically runs—into a Web page you trust;
  • Cross-site request forgery (CSRF), in which the attacker inserts code in one Web page that allows him to send commands in your name, using your browser, to another (your bank, for example);
  • Click-jacking, in which malicious programmers overlay hidden buttons on a Web site, which you may then inadvertently click.

Browser attacks use deceptive Web pages or links to redirect you to undesired locations, to hijack browsing sessions, to download software to your computer, or to perform transactions (such as forwarding your Web mail to the attacker).

The second type of Web attacks target your entire system. Such systemic attacks exploit security flaws in your browser or its plug-ins (such as QuickTime or Flash) to compromise your computer. These attacks take advantage of buffer overflows and vulnerabilities that have long enabled viruses, worms, and remote attacks.

To protect myself from both kinds of attacks and to isolate the damage if I do get hacked, I use a multilevel strategy. That starts with generating and storing passwords with 1Password ( ). (For more password tips, see Top Password Tips.) But I also use a layered system of multiple browsers and even operating systems to keep myself as safe as possible. Even if you don't visit the kinds of sites I do, some of these precautions could be useful to you, too.

Multiple browsers

My first line of defense is to use different Web browsers for different activities. That way, even if an attacker compromises a Web forum that I log in to, he or she can't cross over from there to attack my online banking, because I use a separate browser for that. Or, because I use a dedicated browser for Facebook, the latest XSS Facebook worm can't escape from there to gain access to my Amazon or Web mail accounts.

My primary browser is Firefox 3.5 ( ) configured with the NoScript and Adblock Plus plug-ins.

NoScript
With the NoScript Firefox plug-in, you get fine-grained control over Web-based scripts.
By default, NoScript disables Java, JavaScript, Flash, and other dynamic content that's often used in attacks. It gives me fine-grained control, so I can permanently or temporarily enable scripts for specific sites or pages. Because it's nearly impossible to attack a browser that doesn't run scripts or plug-ins, NoScript is extremely effective as long as I don't accidentally authorize anything malicious.

Adblock Plus uses blacklists of known advertising and spyware sites to automatically block content from them. I use it as a backup to NoScript in case I do slip up and authorize a script I shouldn't have. Bad guys are increasingly using ad banners and trackers to distribute their mischief; Adblock Plus gives me a little extra insurance.

In addition to those two plug-ins, I also tell Firefox not to store my passwords (Preferences -> Security); I use 1Password for that.

I use Firefox for general browsing and commerce sites such as Amazon, but I don't use it for sites where I'll have to enter extremely sensitive personal information (such as banks) or sites that I know to be extremely risky. For those, I use some of the more stringent measures outlined below.

Because Safari is harder to lock down than Firefox, I use it for sites that are neither sensitive nor risky, such as Wikipedia, Pandora, and Apple. These are sites I visit frequently, where I don't want to deal with managing NoScript exemptions, or which tend to work better in Safari than in Firefox. Under Preferences -> General, I disable Open Safe Files After Downloading. Under Preferences -> Autofill, I disable User Names And Passwords.

By default, both Firefox and Safari will try to identify known fraudulent sites using public blacklists. (In Firefox, go to Preferences -> Security -> Block Reported Attack Sites; in Safari, go to Preferences -> Security -> Warn When Visiting A Fraudulent Website.) I leave these settings activated.

I use NetNewsWire as my RSS feed reader. In its Preferences -> Browsing -> Web Pages pane, I disable all plug-ins, to prevent malicious code from being sent via an RSS feed (such as a video file containing a buffer overflow).

Dedicated browsers

Although Firefox and Safari are good for general browsing, when I need more protection, I use either a dedicated browser or a site-specific browser (SSB).

By "dedicated browser," I mean a regular Web browser that I use only for one site. In my case, I use OmniWeb ( ) to manage my company Web site and blog.

Omniweb rules
OmniWeb lets you create sophisticated rules regarding which sites the browser can and can't visit.
I've implemented rules in OmniWeb to keep it from accessing any site outside my corporate domain: in Preferences -> Ad Blocking, I clicked Edit The Blocked URLs List. In the top window listing blocked sites, I added a rule for /* to block every Web site. In the bottom, trusted-sites window (which overrides the blocked-sites list), I added securosis\.com to allow anything from my site. Those windows support complex regular expressions, so you can create some pretty sophisticated rules.

For sites that I don't trust at all, I use an SSB. For example, as I mentioned above, I'm wary of Facebook; I access it through an SSB.

An SSB is essentially a stripped-down Web browser that you can create yourself in a few clicks. I created one with the Prism add-on for Firefox. (Go to Tools -> Add-ons -> Get Add-ons, search for Prism, and then install it.) With Prism installed, browse to that site and select Tools -> Convert Web Site To Application.

Unlike a dedicated browser, an SSB lets me browse to other Web sites. But because an SSB is a completely separate process, I can restrict its Web access using the Little Snitch ( ) outbound firewall. If someone attacks the SSB, they can't touch my other browsers or steal my browsing history, except for the SSB's.

Multiple operating systems

For extremely risky or sensitive sites, I use virtual machines (VMs), using VMware Fusion ( ) or Parallels ( ), to isolate Web activity even more.

For example, I do all of my banking in a dedicated VM using Microsoft Internet Explorer 8 running on the latest release candidate of Windows 7. IE8 on Windows 7 is very secure—especially because I don't use it to visit any Web sites other than my banks, nor do I use the VM for e-mail or other Internet activity. This eliminates all possible browser attacks (unless my bank itself is compromised), and an attacker would need to completely take over my Mac to get my banking information.

Incognito Linux Live CD
For the ultimate in safe browsing, run a browser in a different operating system from a live CD (such as Incognito).
For maximum browsing security, I use the Incognito Linux live CD in a VM. A live CD contains a bootable operating system; it runs the OS from the optical drive, without installing anything on the hard drive. I like Incognito because it includes other privacy-enhancement features, but any live CD with a Web browser will work.

Because the CDs are read-only, the VM runs everything in memory without touching the local file system (except for virtual memory). An attacker could completely compromise and control that VM, but he or she couldn't touch anything else on my system. Because the state of the VM is never saved to disk, all I have to do is shut it down and reboot to return to a pristine, clean image.

Granted, my chosen profession requires a tad more paranoia than is mentally healthy for the average user. Still, these techniques are relevant for anyone concerned about security. At a minimum, I recommend dedicated password management, a dedicated Web browser or SSB for banking, and perhaps a VM for those occasional trips to the darker edges of the Internet.

Rich Mogull has worked in the security world for 17 years. He writes for TidBits and works as a security analyst through Securosis.com.]

Subscribe to the Apple @ Work Newsletter

Comments