Every day we use web browser most often, likes of Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, Opera, etc. The browser companies try as much as possible to protect users and their personal information when using these products. But in some cases users lost their privacy due to unaware uses. This writeup will help user make educated choices when using these and other browsers for various activities. The internet is our key into the world, to help us reach anywhere virtually for information, trade, business, communication, entertainment and all other needs and necessities. Fast and effective communication can be a key factor in our daily life, that is why this is one of the most important features of web browser. Hence, we need to secure ourselves as we would ordinarily do in the real world, as not everyone on the internet has honest intentions.
While we may have anti-viruses on our computer, that block all kinds of computer malware but our browser may also be vulnerable. Some possible vulnerabilities as follows:
XSS (Cross-Site Scripting)
Cross-site scripting can simply be described as a code injection that injects malicious code into a vulnerable web application. The aim of this kind of attack is to compromise the security of a web application via the client, mostly via browsers. Attackers aim to use this kind of attack to exploit weak validations and a lack of content security policy (CSP) on some web applications. Examples of these include search engines, login forms, message boards and comment boxes. There are different kinds of XSS like Reflected XSS, DOM XSS, Stored XSS.
Some major browsers, like Chrome and Edge as a security feature, developed their own client security protocols to avoid XSS attacks known as X-XSS-Protection. Chrome had the XSS Auditor, which was introduced in 2010 to detect XSS attacks and stop such webpages from loading when detected. This was however, found to be less helpful than initially hoped and was later removed after researchers noticed inconsistencies in its results and cases of picking false positives. As per MDN web docs (Mozilla Developer Network)
- Chrome has removed their XSS Auditor
- Firefox has not, and will not implement X-XSS-Protection
- Edge has retired their XSS filter
This means that if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead.
Another important issue for establishing browser privacy is to be savvy about third-party tracking cookies. Cookies are generally considered good on the web browser as they are used by websites to uniquely identify users and to be able to tailor the user’s browsing experience accordingly. Actually they record and analyze user behavior.
Firefox, in September 2019, announced that it would be blocking third-party tracking cookies by default on both the desktop and mobile browser. The Safari browser in Apple devices also blocks third-party cookies from tracking their users across the web. On Chrome, the third-party tracking cookies are not blocked by default. It can be enabled from privacy and security option. Now a days every website aske to accept their cookies. We are all seeing these pop-up notifications just about everywhere we go on the internet and we can thank the European Union (EU) for this latest online irritation. The EU invoked the General Data Protection Regulation (GDPR) back in 2018, an 88-page document that outlined privacy and security requirements for anyone providing goods and services in the EU. Since there aren’t physical boundaries on the internet, it forced everyone around the world to comply with these new regulations regardless of where they may be located.
Some websites contain crypto-mining script either by the owner of the website or by a third-party. These scripts enable the attacker to utilize the victim’s computing resources to mine cryptocurrencies. Some browsers have in-built utilities to block such scripts such as Firefox, which has a setting to block cryptominers on both web and mobile. Extensions are required to install to achieve the same in Chrome and Safari.
Fingerprinting is a type of online tracking that’s more invasive than ordinary cookie-based tracking. As per Wikipedia A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification.
Some users tend to believe that using incognito mode on the browsers protects from fingerprints, but it doesn’t. Private or incognito mode isn’t truly private; it only doesn’t save cookies or browsing history locally on the web browser; however, this information would still be saved on the website visited. Hence fingerprinting is still possible on such a device. Most of the browsers are working to protect against fingerprinting by blocking third-party requests to companies that are known to participate in fingerprinting.
How to secure browsers?
Users need to be more proactive with their privacy and security. We should know what security setting in available on the browser. Each browser has it’s own privacy and security settings, which permits the user control over what information they can give out to websites. A little bit of guidance of privacy settings to set in browser as following:
- Send ‘Do not track’ requests to websites
- Block all third-party cookies
- Disable ActiveX and flash
- Install privacy extensions or addons
- Remove all unnecessary plugins and extensions