Browserscope security test

View previous topic View next topic Go down

Browserscope security test

Post by p2u on 27/12/2010, 01:15

Security is not all about executables and processes. If you like to see how well your browser is protected against some of the more subtle threats on the Web, then there is 'Browserscope' with some really interesting stuff http://www.browserscope.org/security/test
An explanation about what exactly is tested: http://www.browserscope.org/security/about
P.S.: NoScript protects very well against these threats. I would also be interested in the results of Sandboxie-protected browsers without NoScript.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 27/12/2010, 22:15

Not sure why you'd think that Sandboxie would make a difference to tests like these. Anyway, let me test it out with various browsers, sandboxed and unsandboxed:

1. Unsandboxed and sandboxed default IE 6 browser:


2. Unsandboxed and sandboxed default Firefox 3.6:


3. Unsandboxed and sandboxed default Opera 11.0:


4. Unsandboxed and sandboxed default Google Chrome 7.0:


5. Unsandboxed and sandboxed default Firefox 3.6 with default NoScript:


A quick observation - nothing seems to pass "Content Security Policy" and "Block visited link sniffing" by default.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 27/12/2010, 23:00

Some further reading here:
http://forums.informaction.com/viewtopic.php?f=7&t=4593#p19516

Looks like tests 14-17 were only implemented in the testing suite recently.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by p2u on 27/12/2010, 23:17

ssj100 wrote:"Block visited link sniffing"
In FF, this can be tweaked through about:config.
Code:
layout.css.visited_links_enabled (boolean) - false)
Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 28/12/2010, 00:14

Are there any significant disadvantages of doing this for the home user? If there are none, I suppose there's no harm tweaking it.

However, I'm struggling to see any significant advantage of doing it, but perhaps you can give me a real-world example of how it might help? I'm thinking of something like this:

1. User visits banking web-site
2. User then visits a malicious web-site
3. The malicious web-site records something you don't want it to? I hope no one stores their banking (and other sensitive login) passwords in the browser.

If applying the Firefox tweak simply prevents others from viewing my browsing history, then I'm not going to be too interested.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by p2u on 28/12/2010, 00:35

ssj100 wrote:However, I'm struggling to see any significant advantage of doing it, but perhaps you can give me a real-world example of how it might help?
A hacker may easily determine what people go to Bank A and ALSO go to sites B, C and D, which have known vulnerabilities. From the business point of view, it will therefore be interesting to set a trap on B, C and D for that type of clients. It also makes social engineering a lot easier if you know the "client's" taste.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 28/12/2010, 00:41

Okay, so it appers to be mainly for reducing chances of falling for social engineering exploits. Not really useful for me, but I'll personally keep it in mind for others in future. Thanks p2u.

On a related note, real-world (real-life) social engineering exploits that I've personally come across are always in the form of e-mails and MSN messages from friends/relatives (who have had their accounts hacked?). Usually it would involve a link that would take me to a web-site which then asks me to enter my login details for whatever. With the confidence of Sandboxie, I've frequently visited such sites in the past, but of course I've never put in my details. They've now become boring, so I no longer click on the links haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by p2u on 28/12/2010, 01:29

ssj100 wrote:Okay, so it appers to be mainly for reducing chances of falling for social engineering exploits. Not really useful for me
You asked me to give you ONE real-world example only and you immediately generalize. Let me give you another one. A hacker "lives" already on one of those social utility sites; even worse: he's one of the administrators there. He regularly checks where people have been and sees that many frequent bank A. Then he goes to bank A and checks. Lo! What a beauty of an XSS vulnerability there...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 28/12/2010, 01:36

p2u wrote:
ssj100 wrote:Okay, so it appers to be mainly for reducing chances of falling for social engineering exploits. Not really useful for me
You asked me to give you ONE real-world example only and you immediately generalize. Let me give you another one. A hacker "lives" already on one of those social utility sites; even worse: he's one of the administrators there. He regularly checks where people have been and sees that many frequent bank A. Then he goes to bank A and checks. Lo! What a beauty of an XSS vulnerability there...
It wasn't my intention to generalise haha. It's probably because I don't understand this as well as you do, so please be patient.

Okay, so let's say the hacker finds an XSS vulnerability on your banking site. How exactly will he use it to his advantage if he knows that you also visit eg. this forum?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by p2u on 28/12/2010, 01:42

ssj100 wrote:How exactly will he use it to his advantage if he knows that you also visit eg. this forum?
It's no longer personal; it becomes business, big business. How he does it is no longer important. He will know the average type of browser, he might know IP-addresses, etc. If there's a vulnerability on that site, the moment ANYONE logs in, he/she will get their cookie stolen and the session will be taken over with standard tools and tricks. Seems to happen all the time.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 28/12/2010, 01:45

p2u wrote:
ssj100 wrote:How exactly will he use it to his advantage if he knows that you also visit eg. this forum?
It's no longer personal; it becomes business, big business. How he does it is no longer important. He will know the average type of browser, he might know IP-addresses, etc. If there's a vulnerability on that site, the moment ANYONE logs in, he/she will get their cookie stolen and the session will be taken over with standard tools and tricks. Seems to happen all the time.
So if I understand it correctly, it basically gives the hacker a form of "market research"? And in that case, you would be wanting as many people as possible to apply that Firefox tweak (for the general good of all)?

It's interesting that you say it happens all the time. When next you come across one, could you forward me the actively vulnerable site (via PM might be best)? I'd like to see what happens (if there's anything visible to see) on such an exploited site.

EDIT: by the way, that Firefox tweak doesn't pass the "Block visited link sniffing" test - is it meant to?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by p2u on 28/12/2010, 09:36

ssj100 wrote:So if I understand it correctly, it basically gives the hacker a form of "market research"? And in that case, you would be wanting as many people as possible to apply that Firefox tweak (for the general good of all)?
Exactly right. It's organized crime and their business model is a lot more advanced than that of the advertisers, who came up with all those dirty tracking tricks. The average person is not so rich that he/she can afford being tracked. You should also keep in mind that they have "insiders" all over the place, always willing to make an extra buck.

ssj100 wrote:It's interesting that you say it happens all the time. When next you come across one, could you forward me the actively vulnerable site (via PM might be best)? I'd like to see what happens (if there's anything visible to see) on such an exploited site.
Even the giant security providers have vulnerabilities in their sites. Sometimes you hear about this or that site having been hacked (usually young people, showing off; trying to look cool), but it is more dangerous not to report such cases and use the vulnerabilities for your own purposes. You won't see anything, but using the bank's search system with certain non-standard parameters, for example, may trigger the vulnerability and the knowledgeable "hunter" will know what to do. http://en.wikipedia.org/wiki/Cross-site_request_forgery

ssj100 wrote:EDIT: by the way, that Firefox tweak doesn't pass the "Block visited link sniffing" test - is it meant to?
Hm... Did you restart the browser (or better even: the system)? If it doesn't help, I'm in Privacy Mode (by default). I never browse without it. Try that.
P.S.: If you use Flash Player (I don't), then you should also check the Online Flash Settings Manager and set EVERYTHING to Default-Deny. Did you know that by default, every site has the right to load 100KB of crap to your computer that can later be identified? Also have a look at the sites that have already info on you and empty the list. Most tracking is done through Jave, Flash and other plugins in combination with javascripts and cookies.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 28/12/2010, 09:56

p2u wrote:It's organized crime and their business model is a lot more advanced than that of the advertisers, who came up with all those dirty tracking tricks.
Even more advanced and dirty than Google? Haha, bad joke.

p2u wrote:Even the giant security providers have vulnerabilities in their sites. Sometimes you hear about this or that site being hacked (usually young people, showing off; trying to look cool), but it is more dangerous not to report such cases and use the vulnerabilities for your own purposes. You won't see anything, but using the bank's search system with certain non-standard parameters, for example, may trigger the vulnerability and the knowledgeable "hunter" will know what to do. http://en.wikipedia.org/wiki/Cross-site_request_forgery
Well, keep me posted if you do come across any such exploited sites (even if it's an underground malicious web-site).

p2u wrote:Hm... Did you restart the browser (or better even: the system)? If it doesn't help, I'm in Privacy Mode (by default). I never browse without it. Try that.
Yes, restarted the browser and the system, and also did the test in Privacy Mode - still fails the test.

p2u wrote:P.S.: If you use Flash Player (I don't), then you should also check the Online Flash Settings Manager and set EVERYTHING to Default-Deny. Did you know that by default, every site has the right to load 100KB of crap to your computer that can later be identified? Also have a look at the sites that have already info on you and empty the list. Most tracking is done through Jave, Flash and other plugins in combination with javascripts and cookies.
Yes I did know about that, but I was never concerned. Tell me, how do you conveniently watch YouTube, play Flash games etc without Flash Player? I'm not asking because I'm trying to sound coy - I'm simply asking just in case there's some other method that I've missed completely.

Anyway, how come the test isn't passed? Does this mean there's a new method to track browsing history that has no mitigation? Can you test it on your own system and post back?

Also, as far as I understand it, passing this test doesn't mean you're protected from anything really (as an individual) - it simply means you make the hackers job more difficult to make money. Right?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by p2u on 28/12/2010, 10:16

ssj100 wrote:
p2u wrote:Hm... Did you restart the browser (or better even: the system)? If it doesn't help, I'm in Privacy Mode (by default). I never browse without it. Try that.
Yes, restarted the browser and the system, and also did the test in Privacy Mode - still fails the test.
Try this:
about:config Filter refer. Set
Code:
network.http.sendRefererHeader - (Integer) - 0
network.http.sendSecureXSiteReferrer - (boolean) - false
Also: clear their cookies and set cookies for the main domain only.

ssj100 wrote:Tell me, how do you conveniently watch YouTube, play Flash games etc without Flash Player?
I don't. I was lucky to be able to download your security videos (hope I didn't infringe any copyright). If I can't download the files, I just accept that. I've had it with Adobe, really.

ssj100 wrote:Anyway, how come the test isn't passed? Does this mean there's a new method to track browsing history that has no mitigation? Can you test it on your own system and post back?
Mine works. Be patient.
P.S.: I'll post a screenshot later if you want. Gotta go now.

ssj100 wrote:Also, as far as I understand it, passing this test doesn't mean you're protected from anything really (as an individual) - it simply means you make the hackers job more difficult to make money. Right?
Right. It's just the top of the iceberg...

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 28/12/2010, 10:23

Feel free to download my security videos mate - that's why they're there.

And I still can't pass that test haha. Not too interested in a screenshot - I'm only interested for the sake of others who want to block this. And therefore, I'd like to have some sort of step by step guide to pass that test. I'd reckon that over 99.99% of users out there would fail this test with their current configurations!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by p2u on 28/12/2010, 12:00

ssj100 wrote:And I still can't pass that test haha.
No problem; I have the patience of an angel. Very Happy
P.S.:
1) Could it be that Sandboxie is protecting your browser settings from being changed?
2) Do you keep your browser cache? (Better clean it with CCleaner and start a new session before you take this test)
3) Any funny toolbars installed?
4) What is your cookie policy? For Firefox there are very convenient cookie managers (one click to allow, temporarily allow; just like NoScript) that you can use with the DefaultDeny principle (CookieSafe is very good. I use Cookie Button for convenience, although I could do it manually through the browser interface; my cookie settings don't change so much; I just block them all by default). Cookies should only be allowed on sites where you have to authenticate or when the site explicitly requires them to work (not that many sites by the way). For the BrowserScope test you need to allow cookies (for the main domain), otherwise you'll fail that test.
5) Do you pass PCFlank's Browser Test?
6) Do you pass GRC's Cookie Forensics Test?
7) And how about the Start Panicking! test? Don't use the "Send-to-friend" mail option!

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 28/12/2010, 13:34

Obviously I haven't been clear with my testing configurations. Almost all the testing I've done and posted about on this forum has been done in VirtualBox with a freshly installed Windows XP, SP3. Therefore, I have no third party security software installed. For this test, I freshly install Firefox and go from there. Therefore, there are no "funny toolbars" etc installed either.

And again, I'm mainly testing for other people's benefit really (I've already got my own security setup/approach that I'm still extremely happy with), so more importantly, you're (hopefully) helping others (even those that find this forum through a Google topic search). Thanks for your patience regardless!

Anyway, I think the cookie policy may be what's letting you pass the test. Let me try using Cookie Button and post back. Then perhaps we can put all this "trial and error" to rest and get something definitive!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by ssj100 on 28/12/2010, 13:56

Okay, I'm afraid it's the same story.

I installed CookieSafe and globally blocked all cookies. This meant that (in addition to the three Firefox tweaks mentioned in this thread and with zero cookies stored in the browser to start), I passed the PCFlank's Browser Test, GRC's Cookie Forensics Test, and the Start Panicking! test.

I then went on to the Browserscope security test page and allowed cookies for the site only. I still fail the "Block visited link sniffing" test.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Browserscope security test

Post by p2u on 28/12/2010, 14:01

ssj100 wrote:Okay, I'm afraid it's the same story.

I installed CookieSafe and globally blocked all cookies. This meant that (in addition to the three Firefox tweaks mentioned in this thread and with zero cookies stored in the browser), I passed the PCFlank's Browser Test, GRC's Cookie Forensics Test, and the Start Panicking! test.

I then went on to the Browserscope security test page and allowed cookies for the site only. It still failed the "Block visited link sniffing" test.
I think that item of the test may be flawed really. What probably happens is the following: when you reload the page but don't refresh the cookie, they know that you have been on their site and you have "failed" the test. Bad design, nothing wrong with your settings. Still don't understand why it gives me a pass though. Probably has something to do with google-analytics, which I block in my Hosts File... Very Happy



As you can see, test 7 is in loopback and it doesn't get out of it. I think that is also google-analytics. I would have to look at the code to see what they're doing.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by p2u on 28/12/2010, 14:51

Update: The "link-sniffing test" might be a trick with favicons (site icons) by the way. I have been blocking those too
Code:
browser.chrome.favicons - (boolean) - false
browser.chrome.site_icons - (boolean) - false
since I came across some dirty tricks on a Russian hacker forum. Besides, I removed "data" from the Adblock Plus parameter
Code:
extensions.adblockplus.whitelistschemes
The problem is, that even if you block all content (images included) in Adblock Plus with the filter *, the pictures on google news (data:image) still show. The same goes for favicons; they are also of the "data:image" type. If the test is based on this principle, then you simply cannot pass it without taking really drastic measures.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Browserscope security test

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum