I like to think I’ve got operating system security down pretty well. I know I’m not as good with network security, but I try just as hard. When I got into web security this summer, I took a hard look at how I could improve the security of my web browser and it’s only taken me 4 months to realize that it’s probably a pointless endeavor.
This is what my desktop looked like up until yesterday:
That’s 4 different web browsers and 7 different Prism Single-Site-Browsers (SSBs). That’s right, I sucked it up and used SSBs for a whole 4 months after I wrote a post denouncing them because they seemed like the only good option I had. Oh, and every SSB had NoScript installed on it.
The purpose for all this was to keep my cookies isolated from eachother and divide my browsing habits into different domains, so if I got caught in an attack on… say, this weblog, there would be no way an attacker could also walk away with my Google auth tokens. Google obviously means a lot to me, so I decided I need to keep all of their services completely isolated from everything else, hence the SSBs. I also cleared the data stored in each browser on a regular basis to minimize the information stored by them at any given time.
This was a surprisingly usable system for a while. The one golden rule I had to always remember was to never let a browser have access to my Google account. Even if I screwed up the golden rule, those cookies would only be exposed in that browser for about a week and would likely be under the protection of NoScript. Awesome.
The number one reason I couldn’t hold this up was due to the lack of an address bar in Prism SSBs. I’d want to favorite a video in Youtube so I’d open up my Youtube SSB (Youtube = Google don’t forget!) but then I had nowhere to paste the URL to get back to it! Or maybe I’d get an e-mail in my Gmail SSB saying “so-and-so has followed you on Twitter” but the link would open in Firefox (no Twitter cookies there!). I’d have to open my Twitter SSB (I just don’t trust Twitter, sorry al3x) and scroll through dozens of pages of the people following me to track down the new guy due to the lack of an address bar.
Prism SSBs have to be an order of magnitude more customizable than the simple 8-line ini file they’ve got now to be of use to me. For starters, I want a single SSB that can browse to any Google service, with tabs and a working address bar.
This didn’t sound like a bad idea when I thought about it, so I got rid of all the Prism SSBs I made and turned Google Chrome into the “multi-site-SSB” I imagined above. Chrome is my Google-only browser and Firefox w/ NoScript is my everything-else browser. I carefully copy-and-paste links from Chrome to Firefox when I want to see things. When Chrome gets a plugin architecture, I’ll probably hack something up to do this programmatically ( if(!onWhitelist(url)) {gtfo(url);} ). I still clear personal data from both on a regular basis and I still use SSBs for select websites *cough* this blog *cough*.
Still, this isn’t quite adequate. Of course I lost NoScript, but even so, there are an uncountable number of ways I could lose my data and hardly any way for me to detect that an online account of mine has been taken over. Why? Let me lay out a few broad reasons:
- Google has a large number of web properties that have had issues in the past.
- NoScript isn’t going to protect you from domains you’ve whitelisted and, further, it’s become a sport to break its filters.
- (hat tip to Erik Cabetas) Things will only get more complicated as browsers and developers adopt the latest web standards.
- Mozilla’s Content-Security-Policy might be good but it requires 3rd party adoption and has a [likely] unacceptable performance overhead for CSRF-mitigation.
I’m sure you can think of more. So at this point, I’ll open it up to you guys. What do you do to keep yourself safe online from a client-side perspective? What new technology can significantly improve my web security that I can adopt right now?
(Note: I’m not concerned about operating system exploits, there are better ways to handle those)
(Also note: it past 4am while I was writing this. Apologies if this turns out to be a huge, unintelligable rant in the morning.)
browser condoms, running browsers in modified qemus. my concern isn’t losing my cookies, the other end is already owned.
I use a slightly different approach, I don’t have any accounts on google/twitter/etc. to get hijacked
I use one browser for my email, and another for everything else. Any accounts I need I usually grab from bugmenot.com. For your old setup I think just patching prism to have a URL bar and support a whitelist would make it actually useable.
In the end, there really isn’t anything you can do, as the “Famous shmoocon speaker” Raven said “0day can happen to anyone”
http://www.youtube.com/watch?v=L74o9RQbkUA
Cool – I get it.
Now how do I explain this to my Mom?
Hint – She’s 72.
Mere mortals don’t have a chance.
Great post. Haven’t really delved into SSBs, but I use FF in Sandboxie quite a lot. I’ve recently started to mimic your behaviour as far as Chrome and FF is concerned too, using Chrome for all my Google based stuff and FF for everything else.
Here are some of my PersOpSec tips (yes, I just made up that word):
Since my favorite operating system happens to be one with a less-than-stellar security history, I actually end up doing most of my web-based activities in a Vista x64 VM, using 64-bit browsers wherever possible. The fact that Flash doesn’t run is a feature. This is used for all low and medium sensitivity surfing. High sensitivity surfing (finance, etc) is done through bookmarks in the browser on the native OS.
Also, maintain separate Google accounts for misc. crap and one for e-mail. Your e-mail Google account (medium sensitivity) is only used in a SSB, but you can use your other one in a normal browser. Copying links from Google reader is a pain, so just treat it all as low-sensitivity.
Finally, recompile security sensitive apps (ssh, silc, browsers, etc) with garbage collecting heaps (boehmgc) or alternate heap implementations (hoard). That will change things enough that an exploitation attempt will likely fail loudly.
looking forward for more information about this. thanks for sharing. Eugene