Which browser is most secure?

For discussions about security.
Message
Author
User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

Which browser is most secure?

#1 Post by Lobster »

Working on the next version of GROWL

Puppy Browser is enabled for javascript and flash - not so good for security :cry:

choices in 4.3.1 package manager include:
gtkmoz
netsurf
skipstone
Would Dillo2 (if available?) be better for security/banking/building worlds biggest net?
[ :oops: oops must not reveal secret Lobsterian phishing plans for increasing fish stocks] :wink:

Which is the best of the small browsers for security?
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
trapster
Posts: 2117
Joined: Mon 28 Nov 2005, 23:14
Location: Maine, USA
Contact:

#2 Post by trapster »

I'm curious, is it only gui browsers that are security risks?
Where does lynx or elinks fit into this?
trapster
Maine, USA

Asus eeepc 1005HA PU1X-BK
Frugal install: Slacko
Currently using full install: DebianDog

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#3 Post by Lobster »

lynx or elinks do not have javascript or Flash

Javascript is the only problem I have experienced
that is redirects or 'Clickjacking attacks'
You can turn off javascript with Monkeymenu
or Noscript
https://addons.mozilla.org/en-US/seamonkey/addon/722
- however these attacks are annoying more than anything
One did try and convince me that Windows was infected
I of course was not running Windows it was trying to sell
a product for a fault I did not and could not have (no Wine on my system even)

Adblock (part of 4.3.1) disables Flash
which can contain actionscript BUT I have never experienced problems with it
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#4 Post by mikeb »

The integration of internet explorer and other activeX controls on windows were the main catalysts for virus proliferation on the internet. The other route was having lan ports open to the net...135/137/139 (rpc and netbios/samba)
That's about it really...deal with that and life is much better.

mike

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#5 Post by 8-bit »

I have an old laptop that dual boots Puppy 421 and Puppy 431.
It was setting idle with a black screen and no applications running.
It had a netlink USB wireless connection to the internet, but no browser running.
I noticed that the activity light on the USB wireless stick was flashing.
When I went to shut it down, just before the screen shut down with the computer, I noticed in the center of the screen a fleeting message.
All it said was "Keyboard Logger".
This is the first time I have ever seen anything like that.
I was also running Puppy 431 on the other computer that was connected to the router physically.
Is this anything to be concerned with?
Remember we are talking about 2 PCs running Puppy 431 here.

User avatar
efiguy
Posts: 164
Joined: Thu 07 Sep 2006, 02:51

#6 Post by efiguy »

Hello 8-bit,

I too have noticed my network Icon flashing unexpectedly running Barry's early version, 431 (works fine for the tamed webserver app that I use it for and some browsing) have a download also from ttuuxxx website that is September update to try. Actually posting from Lighthouse in ram Puppy and found your post.

The harddrive version of 431 has Iptable mods and resists GRC probes, Cupsd is turned off. A base hardened Hiawatha is turned on, but there isn't any publication of its IP's and ports, but the PC sets directly off of a Linksys router.

I know that Windows is vulnerable to commercial keyloggers, and presume that Linux should also be, as it is so "network friendly", and the personal using it so much more capable of programming art.

I found a small linux a coupla days ago with a rootkit searching in the menu, it is called Insert-139B or close to that, maybe # is partially wrong,
Went to HD and found name to be INSERT-1.3.9b_en.iso

I booted it in ram, but it was so needful of command line guidance, that I personally could not use it.
As I type here, the network Icon of Lighthouse is inactive, as is the HD lights, I would have concern over your systems, maybe mine too

jay

PS edit,
A thought just occurred to me, reading all the posts on ttuuxxx link where members lament that so many pets have not been updated and errors are continued from puppy version to version, this is a way that mischief might be done, even if the "listener" on the "far end" is long gone - just a thought.
.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#7 Post by Lobster »

Would you click on this browser link?
http://5z8.info/manhunter_b0c6w_nakedgrandmas.jpg

:shock:
Yep part of my 'don't fight the paranoia' campaign
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
nitehawk
Posts: 658
Joined: Sun 13 Apr 2008, 22:30
Location: West Central Florida

#8 Post by nitehawk »

OK,...Netsurf and Slipstone don't have (am I right?) java or flash? I've used Midori (I likey)....but it has flash enabled (not java, though). But don't a lot of the banking (I'm thinking PayPal, too) require the use of java and/or flash? For instance,..even when I use the very latest FireFox,..my bank's "secure" website fusses at me for not using IE!!! (Firefox works, though,..just don't know how secure it really is...and the banking website has some stuff that only work with java).

DMcCunney
Posts: 889
Joined: Tue 03 Feb 2009, 00:45

#9 Post by DMcCunney »

nitehawk wrote:OK,...Netsurf and Slipstone don't have (am I right?) java or flash? I've used Midori (I likey)....but it has flash enabled (not java, though). But don't a lot of the banking (I'm thinking PayPal, too) require the use of java and/or flash? For instance,..even when I use the very latest FireFox,..my bank's "secure" website fusses at me for not using IE!!! (Firefox works, though,..just don't know how secure it really is...and the banking website has some stuff that only work with java).
Let's be clear on a crucial point. Java and JavaScript are completely unrelated.

Java is a language created by Dr. James Gosling at Sun Microsystems, designed to be "Write once, run anywhere". Compiled Java code will run on any machine with a Java Virtual Machine installed, regardless of what you built it on. You can write Java on a PC and run it on Linux. Some websites embed Java applets, though they are rare. If you have Java installed on your machine, the browser calls Java as a plugin to handle the applet,the same way it calls Adobe's Flash player to handle flash.

JavaScript is a light weight, object oriented scripting language, originally written by Brendan Eich for Netscape Navigator 2. (Brendan is now Chief Architect at Mozilla.) It was originally called LiveScript, and was renamed to JavaScript by someone in Netscape marketing to capitalize on the popularity of Sun's then new Java language. This has caused endless confusion in the years since by people who conflate the two. The only thing the two languages have in common is the word Java in the name.

JavaScript has subsequently been implemented by most other browsers, has become an ECMA standard, and is appearing in things that aren't browsers. (Adobe embeds a form called ActionScript in PDFs.)

The main Linux browser I can think of offhand that doesn't support JavaScript is Dillo. (NetSurf and Slipstone may not, but I don't have them installed to look.) Firefox, SeaMonkey, Opera, Midori, and Elinks here all handle JavaScript. Firefox disables some JavaScript functions by default, like the "open unrequested window" function, which is normally used to create popups. The NoScript extension can disable JavaScript entirely (and optionally disable Java, Flash, and Microsoft Silverlight) unless the website is in a user maintained whitelist.

Most websites now use JavaScript, and won't behave correctly unless it is active. Your banking site (and mine) both use it. No banking site I am aware of uses Java (and I can't see a reason offhand why it would need to.) I could disable JavaScript entirely, but won't. Too many places I visit require it.

Many websites, including banking sites, alas, are coded expecting Internet Explorer as the browser, and complain if they don't see it. Generally, Firefox will actually work just fine, as long as the site is coded adhering to current web development standards. There are add-ons for Firefox and SeaMonkey designed to deal with brain dead sites that only think they work with IE by lying. They modify the user agent string sent to the website when they access it to claim the browser is IE rather than Firefox/SeaMonkey. (It's actually been some time since I've had to resort to that sort of trickery to get a site to work. Firefox is now too popular to ignore. :P)

I haven't had security issues or worries with my banking and credit card sites. All use https to create an encrypted session between me and them when I am accessing account information. I don't worry about being compromised when I am accessing it.
______
Dennis

User avatar
xman
Posts: 144
Joined: Thu 24 Sep 2009, 06:31

#10 Post by xman »

DMcCunney wrote:Java is a language created by Dr. James Gosling at Sun Microsystems, designed to be "Write once, run anywhere". Compiled Java code will run on any machine with a Java Virtual Machine installed, regardless of what you built it on. You can write Java on a PC and run it on Linux. Some websites embed Java applets, though they are rare. If you have Java installed on your machine, the browser calls Java as a plugin to handle the applet, the same way it calls Adobe's Flash player to handle flash.
Father of Java, James Gosling, follows a number of other noted ex-Sun employees out the door since Oracle's purchase of the company was finalized in January.

After news, something about insecure browsing. Google researcher Tavis Ormandy has published details of a Java virtual machine bug that could be used to run unauthorized programs on a computer. The flaw affects all versions since Java SE 6 update 10 for Microsoft Windows and Linux (http://seclists.org/bugtraq/2010/Apr/80).

Many researchers are talking about serious Java bug, but Oracle don't consider this vulnerability to be critical, which could be a mistake on their part as that means it won't be patched until the next patch in the cycle is released – which should be around July.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#11 Post by Lobster »

Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
xman
Posts: 144
Joined: Thu 24 Sep 2009, 06:31

#12 Post by xman »

Are you experiencing your browser unstable? Have you Java? Is your Java up to date? Many questions, but there is a reason for them. The number of Java exploit attempts increased sharply in summer (http://blogs.technet.com/b/mmpc/archive ... -java.aspx).

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#13 Post by Lobster »

http://puppylinux.org/wikka/JavaRuntimeEnvironment

Coolpup has just repackaged java
Midori in Lucid 5.2 warns that it may be a security risk if used as
a connect to web browser (it is used internally as a HTML reader)
- is it a risk? Can it be hardened?
What about Iron (secure Chrome) 2 versions are available in the
Lucid 5.2 package manager - check it out
http://en.wikipedia.org/wiki/SRWare_Iron

Check them all with Wireshark
http://murga-linux.com/puppy/viewtopic. ... 787#111787
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#14 Post by Lobster »

900 million IE users compromised
http://www.bbc.co.uk/news/technology-12325139
Last edited by Lobster on Wed 02 Feb 2011, 05:07, edited 1 time in total.
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

#15 Post by ttuuxxx »

I would say the latest Firefox 4, without flash and java. Firefox is updated 10 to 1 compared to Seamonkey, the guys at Seamonkey just monkey around most the time, lol
I don't think any other browser is updated/patched and tested for security leaks as much as Firefox.
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#16 Post by jpeps »

Haven't picked up any viruses yet using my links browser :)

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

#17 Post by ttuuxxx »

hi jpeps
Its not about virus :) there's only a handful for linux and your chances on getting one with any browser is extremely low, Its more about security, like online banking, or people hacking your system via flash/java holes in the browser that haven't been patched yet. Hmmm but links doesn't do java or flash right, so that's also a great browser, if you like pure min features, but still it does have a place for a lot of users who like that sort of browsing experience :)
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

User avatar
xman
Posts: 144
Joined: Thu 24 Sep 2009, 06:31

#18 Post by xman »

Fresh flash and java are needed if any, but what about socially engineered malware.

Old graph
Image

New graph
Image

Test report: http://www.nsslabs.com/assets/noreg-rep ... -FINAL.pdf.

rolo
Posts: 3
Joined: Mon 21 Nov 2011, 11:29

Secure browser

#19 Post by rolo »

Last week, I've found out that Fortress Linux has released a secure Linux OS that is called the "Secure Browsing Edition". It only includes a hardened web browser.

This browser has a smart protection system against evil scripts and cookies. And it seems to be the only browser that forces TLS 1.2/SSL 3.3 encryption, while all the available web browsers in my Puppy install only use TLS 1.0, which was cracked recently. (Google for TLS cracked). Besides, I don't trust Puppy anymore after my system was infected by a root-kit last week.

I now use the Fortress Linux secure browsing edition to do my online banking and more. It's fast and it has an "Apple" look window manager. It boots in a matter of seconds.

The URL of their website is:
http://www.fortresslinux.org

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#20 Post by Lobster »

my system was infected by a root-kit last week
Which one?
How do you know?
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

Post Reply