Browser security has been receiving attention lately. With the vulnerabilities being found in
Internet Explorer there has been a migration to other browsers. Firefox in particular has gained
popularity because it doesn't use ActiveX making it a more secure browser. However,
Java Script, once thought to be safe, has been shown to provide the means for malicious
behavior. That report was found here:
Java Script Report
As of August 16, 2008, while updating our site and checking for broken links we found that
one gets redirected to hp.com. We didn't spend the time to see if this report still exists
on Hewlet Packards' pages, however, we are sure a brief web search would turn up quite a bit
of information regarding this situation.
Security experts have been advising users to disable scripting for casual web surfing and only restore scripting and ActiveX features for sites that need them for functionality and which you trust, such as online banking sites. The methods for tightening security differ for each browser. Only the two most used browsers will be covered in the next section, however, the links you visit may point you to solutions for your particular browser.
If you think your browser is secure enough, go to this site and test your browser.
If your browser passed the test then congratulations to you. If your browser didn't pass the tests put the following security measures in place and try again.
Internet Explorer Links
Included in the Internet properties of Internet Explorer, is the concept of security zones. The Internet Zone, the Local intranet zone, trusted sites and restricted sites are IE's default zones and each has its own security settings. By definition, every site on the web is placed in the Internet Zone. Following advice from the experts, you would set the security level to high on the Internet Zone for protection during surfing activities. Your banking sites and sites you trust would go into the "Trusted sites" zone with security settings that allow ActiveX and scripting to function. Step by step instructions can be found by using one or more of these links.
As you become more familiar with the workings of IE, or if you are an advanced user you might find these links of some interest. Aside from more detailed information, you can find methods for adding more zones to Internet Explorer.
One more link before moving on to Firefox and wish I had found it long ago. With IE locked down for secure browsing it doesn't take long to become aggravated with having to add sites to the trusted zone then having to reload the page before you can accomplish your task. The folks at Geeksuperhero.com have come to the rescue! Their small zone changer app does the job nicely! It works via a button on the IE tool bar and a couple of clicks changes the zone of a visited site on the fly using the "*.sitename.com" style entry ensuring the functionality of all pages on the site. This zone changer is available free of charge at this download site:
Firefox Links
While Firefox doesn't use the security zone approach, its lack of ActiveX response made it more secure. It does, however, support scripting which newer versions allow you to disable. There is also an add on that disables scripting yet allows on the fly permanent or temporary enabling of Java Script. This applet "NoScript" can be found on the Mozilla add on site. NoScript is as effective and easy to use as IE Zone Changer. Here's the link:
Update 11/07/2007
A subject not addressed in the original article was the password saving feature of browsers. Both Firefox and Internet Explorer exhibit vulnerabilities in this area. Passwords saved by Firefox can be viewed via the options dialog unless a "Master Password" is used. Passwords saved by Internet Explorer are not that easily viewed unless you have the freeware utility IE PassView by NirSoft.
Securing Firefox is done simply by setting a "Master Password". With Firefox open click "Tools" on the top line menu. From the drop down menu select "Options".
The icons at the top of the Options window act like a tabbed folder. Clicking the Security icon will open the portion needed. The middle section is the portion of this window that deals with passwords. Unchecking the "Remember Passwords for sites" box will give the most security and the least convenience. Clicking the "Show Passwords" button is all it takes for anyone to view any and all saved passwords if a master password has not been set. Checking the "Use a master password" box will open the master password entry screen and provide an acceptable compromise between convenience and security.
When the password entry window opens, you will need to enter the password twice. Under the password entry boxes you will notice a "Password quality meter". A good password will turn this meter green.A mixture of upper and lower case letters, numbers and keyboard characters will give you a solid green bar. This is what you want to see when you have entered your chosen password as a brute force attack can crack easy to guess passwords in a very short time. Remember physical access to your computer is not necessary all that is neede is the files which can be quickly saved to a flash drive or sent over the Internet to the would be intruder. When you have finished entering your password be sure to click the "OK" button at the bottom of this window.
While a good strong password will do the trick for Firefox, this is not the case for Internet Explorer, at this time. Security gurus are recommending the use of a third party password program with which to store passwords rather than using this feature in Internet Explorer. This is easy to understand after a quick look at the IE PassView utility. This utility can operate from a flash drive and can output all user names and passwords saved by Internet Explorer into several different formats.
Microsoft, Microsoft Office, Windows, Windows XP and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names have been included in the above text that are trademarks of the respective companies.
