While Web 2.0 has achieved some success by allowing developers to create intuitive and interactive web sites, it also has a dark side. The biggest problem with Web 2.0 is security, as just about every web site on the planet now cross promotes and loads content from other sites into their web pages. Ecommerce, banking and financial companies rely on third parties to provide content and access tracking, even going so far as to point DNS for their own domains to third party companies whose security posture is completely outside their control.
There are numerous methods for an evil-doer to exploit Web 2.0 technology and wreak havoc, with Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) beings some of the most nefarious as far as the web browser, in this context meaning a person browsing the web, is concerned. These methods allow evil-doers to assume control of an unsuspecting web browser's connections and perform dastardly deeds like draining their bank account before they are even aware there is a problem.
Increasing Browser Security Step 1
Perhaps one of the easiest methods a person can use to increase browser security is to use Mozilla FireFox and implement some of the security add-ons. One of the best add-ons, NoScript, is one I have been using for years to protect myself against the aforementioned attacks. I was really sold on the funtionality of NoScript, and for good reason as it works very well. In fact I thought it was good enough, in itself, to protect me from all associated JavaScript exploit problems. However recently I discovered that while NoScript is excellent, it is not a cure-all for various nefarious exploits which haunt Web 2.0.
The problem with relying only on NoScript lies in the fact that many sites, including financial institutions, load several layers of content into their pages via second, and even third, party domains as well as subdomains under their domain which are not controlled by the domain owner. Instead, the domain owner points DNS for a subdomain of their domain to another a server wholly owned and operated independantly by another company, in what has become popularly known as SAS or Software As Service.
One good example of a third party domain use for content is found on Slashdot.org, a self-proclaimed, "News For Nerds" site which serves up a lot of great content which is interesting to the tech community. Slashdot relies on the domain fsdn.com to load most of their styles and other content, thus I had to allow fsdn.com in NoScript which I thought was fine. Turns out it was not fine at all.
Increasing Browser Security Step 2
Luckily for me, I recently came across a new FireFox add-on called RequestPolicy, which sounded interesting, so I installed it and gave it a try. Boy am I glad I did because to my dismay, I quickly discovered domains I thought were successfully blocked by NoScript sneaking around my chosen policies by being loaded via JavaScript from the third party domain, a method which apparently circumvents NoScripts policies.
Two sites I disallow globally via NoScript are data.coremetrics.com and google-analytics.com, as I feel it is nobody's business tracking the sites I browse. What I discovered was that by allowing fsdn.com in NoScript, data.coremetrics.com and google-analytics.com were in fact being surreptitiously loaded via fsdn.com. Damn! Not only was this a privacy issue, but based on recent findings concerning DNS and subdomain authentication exploits by security researcher Mike Bailey, this was a giant security problem.
Increasing Browser Security Step 3
In closing the bottom line is this, at a minimum you must use FireFox as your browser and you must install the NoScript and RequestPolicy add-ons to have even the slightest chance of ensuring even minimal security while browsing the web. Be aware that once you load these two add-ons, it will seem like most web sites are now broken. This is a good thing! By using the add-ons, you will personally control exactly what sites are allowed to load content instead of leaving that important decision up to the web site owners.
