Web Browser Security Revisited (Part 7)

by [Published on 23 April 2014 / Last Updated on 23 April 2014]

For the past 6 articles, we’ve been talking about the current state of web browser security, both in general and as it applies to different popular browsers. We’ve covered specifics for the “Big Three,” Internet Explorer, Chrome and Firefox. In this, Part 7, we’re going to wrap it up with the other two browsers that have statistically significant market shares: Apple Safari and Opera.

If you would like to read the other parts in this article series please go to

Apple Safari

Apple’s browser, Safari, has gained somewhat in popularity thanks to the company’s mobile operating system, iOS. However, it has lagged behind the other popular web browsers in terms of security. Now Apple is playing catch-up.

Safari security features

With the latest iteration of Safari that’s included in OS X 10.9 (Mavericks), Flash Player will finally run in a sandbox as it already did on IE, Chrome and Firefox. This improves Safari’s security by protecting malware from being able to write to files or tamper with the data in memory that’s used by other applications. Other potentially harmful plug-ins such as Silverlight, QuickTime, Java and PDFs are also sandboxed, and you can enable some plug-ins to only run on specified trusted sites.

The browser also runs each web page (tab) in a separate process, as has become the norm with the major web browsers, so that if a user visits a web site that runs malicious code, it won’t be able to access data on a different tab or crash the whole browser.

Like the other browsers, Safari also has built-in privacy protections. It blocks third party cookies by default, and blocks web sites from placing data on your local hard drive. There is a “do not track” feature; as with other browsers it requests that sites not track you but cannot force the sites to honor the request. Safari also has a private browsing feature to prevent visited web sites from being added to the browsing history and keep information about searches you perform and data you enter into forms from being stored.

Safari is also available to run on Windows. The most recent version is 5.1.7 and can be downloaded here. This version was released way back in May 2012 and according to Apple’s web site is only supported on Windows XP, Vista and 7. However, it will install on Windows 8/8.1 as well.

Configuring Safari for best security

To configure security settings in Safari on Windows, select Preferences from the Tools menu (Gear icon at the top right of the browser window), then select Security. As shown in Figure 1, you have only a few simple options here.

Image
Figure 1

By default, security settings to warn when visiting a fraudulent web site and ask before sending a non-secure form to a secure web site are enabled. Pop-ups are also blocked by default. However, note that plug-ins, Java, and JavaScript are enabled by default; for best security, you might want to disable some or all of these.

Safari on OS X is a bit more configurable, as it includes the very important Manage Website Settings button next to the Java option, which is shown in Figure 2.

Image
Figure 2

This allows you to control the behavior of Java on individual web sites. You can enter the URLs for those web sites on which you want to allow Java and then select from four options for each individual site:

  • Ask Before Using will display a dialog box each time the site attempts to load a Java applet. If there is an updated version of Java available, the user will be prompted to download and install it first.
  • Block Always will not allow Java applets to run on the page; users will see a notification of “Blocked Plug-in.”
  • Allow will permit the site to run Java applets. If there is an updated version of Java available, the user will be prompted to download and install it first.
  • Always Allow permits the site to run applets without prompting to download and install the latest version of Java.

Note:
Because of the paucity of configurable security options, I would not recommend the use of Safari as the web browser of choice in a high-security environment, especially when running on the Windows operating system.

The Privacy tab on the Preferences dialog box is also very simple, with only a few options, as shown in Figure 3.

Image
Figure 3

Here you can clear your cookies, select whether and when to block cookies, and select whether and how web sites can access location services (if such are built into your device).

Apple does not, to my knowledge (after researching the issue) provide any extensions for managing Safari via Group Policy as can be done with Chrome and Firefox. However, you may be able to disable the Safari browser on Windows machines via Group Policy, as described in this article.

Opera

In 2012, a poll by Naked Security showed that respondents considered Opera to be the most secure of all the popular browsers. That opinion might have changed in June 2013, when Opera’s security group revealed that there had been a targeted attack on their internal network, in which attackers stole an old code signing certificate that they used to sign malware, with the possibility that some Opera users may have installed it believing it was an update to the Opera browser.

Opera security features

Opera includes security features common to the other major web browsers: malware protection that is enabled by default and uses blacklists of known phishing sites and other malicious sites. It supports EV (extended validation) certificates and allows you to control the behavior of plug-ins, tracking, storage of information and web sites’ access to your computer’s or device’s hardware and local data.

Configuring Opera for best security

The latest version of Opera for Windows (at the time of this writing, 18.0.1284.68) provides options for configuring privacy and security settings through the Opera button | Settings | Privacy & security dialog box, as shown in Figure 4.

Image
Figure 4

Here you can clear the browsing history, download history, cookies, cache and saved passwords (on an individual basis). A nice feature is that Opera gives you the option to select the timeframe for deletion, so you can just clear the items from the past hour, from the beginning of time, or something in between, as shown in Figure 5.

Image
Figure 5

A “do not track” feature can be enabled, and you can choose whether to use prediction services and automatically send statistics and crash reports to Opera (enabled by default).

By default, passwords for web sites you access are saved. If you’re concerned about security, you might want to disable this function. You can also block specific web sites from saving passwords. If you do save passwords, you can change the default location for the file, which might make it a little less accessible to an attacker.

There are a number of options in regard to how the browser handles cookies. By default, web sites can set local data but you can have the local data cleared when you close the browser, block sites from setting any data or block both third party cookies and site data. You can also create exceptions to these global settings for particular web sites through the Manage exceptions option, and view and remove individual cookies and site data.

JavaScript and other plug-ins are configured not from the Privacy & Security dialog as one might expect, but from the Websites section in Settings. Here you can configure plug-ins to run automatically (the default), you can block them, or you can set them so you have to click to play. Again, you can create exceptions for specific web sites. Note, too, that you might want to block sites from accessing your web cam and microphone. You can do this through the Media section on the Websites page.

If a web site uses location-based services, when you visit it using Opera, a dialog box will display at the address bar that asks you whether you want to allow or deny the site access to your geolocation information, which may be based on the device’s GPS transmissions, your IP address, wi-fi mapping or (in the case of cellular devices) the IDS of nearby cell towers. You can select to always allow location access for this site, to allow this once, or to deny access (you won’t be asked again). When you allow access, a geolocation icon appears in the address bar to remind you that your location is being shared. You can turn off geolocation for all sites, through the Settings | Preferences | Advanced | Network dialog box.

Administrators can lock down the Opera browser utilizing Group Policy with a third party product called PolicyPak. Its application manager integrates into the Group Policy Editor and lets you do such things as forcing the enablement of the fraud and malware protection feature, manage cookie handling settings, etc. You can find out more about it here.

Summary

In this 7-part series of articles, we’ve taken a pretty comprehensive look at where web browser security is today. It has come a long way since I previously covered this topic on this site, with all the major browser vendors incorporating many new security features. Unfortunately, that doesn’t mean the web is now a safe place; it’s still a favorite vector for attackers. Kaspersky Labs’ research showed that the number of web-based attacks increased world-wide in 2013, from almost 1.6 billion to over 1.7 billion. The good news is that the growth rate of such attacks fell.

With numbers that large, it’s obvious that securing the web browsers used by computer users needs to be a priority for any IT professional who’s tasked with overseeing the security of a business network.

If you would like to read the other parts in this article series please go to

Advertisement

Featured Links