Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

'Extreme Security' Web Browsing

Zonk posted more than 6 years ago | from the i-think-i'm-paranoid-and-complicated dept.

Security 267

Sarah S writes "The application security researcher Jeremiah Grossman described to CSO magazine how he takes extreme measure to stay safe online. The simplest tip he uses: two separate browsers: 'One, which he calls the 'promiscuous' browser, is the one he uses for ordinary browsing. A second browser is used only for security-critical tasks such as online banking. When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it and going back to his insecure browser.'"

cancel ×

267 comments

Sorry! There are no comments related to the filter you selected.

Not sure how "secure" this scheme is... (5, Insightful)

TripMaster Monkey (862126) | more than 6 years ago | (#21778132)

How exactly is this strategy going to protect you from a keylogger?

Re:Not sure how "secure" this scheme is... (4, Insightful)

Kranfer (620510) | more than 6 years ago | (#21778174)

Personally, I don't think it will. A keylogger is a keylogger... I have never seen one attached to a specific browser... usually just logs everything... How can it protect you? The fuzzy pink bunnies in your mind think that you are fooling the bad people on the internet who use myspace and livejournal from getting your data and setting up a fake "you" page only to trick your friends... Or stealing your credit card #'s and buying a nice new BMW all in your name... I could use a BMW though :/

Re:Not sure how "secure" this scheme is... (5, Insightful)

hawkinspeter (831501) | more than 6 years ago | (#21778282)

There are easy methods to defeat a keylogger though most of them rely on the server side. Asking for only certain characters from a password (e.g. characters 1,4,8 & 9); virtual screen keyboards (just mouseclicks are recorded); drop down lists to select characters.

Re:Not sure how "secure" this scheme is... (3, Interesting)

tepples (727027) | more than 6 years ago | (#21778380)

There are easy methods to defeat a keylogger though most of them rely on the server side [such as] virtual screen keyboards (just mouseclicks are recorded)
That's useful as an option. But please don't force it on everybody, as not everybody has a useful pointing device. Some of us use a laptop with a slow trackpad. Others are blind, use a screen reader, and have no mouse at all.

Re:Not sure how "secure" this scheme is... (1)

Doctor-Optimal (975263) | more than 6 years ago | (#21778496)

Asking for only certain characters from a password (e.g. characters 1,4,8 & 9)
This will just cause people to write down their passwords.

Re:Not sure how "secure" this scheme is... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21778558)

And the problem is?

It is safe to write down passwords. We are good at keeping bits of paper safe. That is what a wallet is for.

Re:Not sure how "secure" this scheme is... (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21778754)

Agree but I would never consider a password written down near my desk at home a real credible threat. If someone is going to break into my house, they are going to take my wallet and something of value to them, not the yellow sticky on my monitor with the text "bLowmEa$$h0l3", the crimes that you see on CSI are not what happens in real life. I could probably paint my password on the side of my house and still be safer than having a keylogger installed. Which would you feel more threatened by? The specific target of that random password you have written down and physical entry or a flaw in your OS and a keylogger?

On that note though, I do not write my passwords on my monitor, I have them in a small notebook in the drawer! I would rather use completely different passwords for each site and write them down than use the same few passwords across all sites that I need a password for.

Re:Not sure how "secure" this scheme is... (5, Interesting)

pyite (140350) | more than 6 years ago | (#21778900)

This will just cause people to write down their passwords.

And what, exactly, is wrong with this? Bruce Schneier [schneier.com] offers the following wisdom [nytimes.com] :

I write my passwords down. There's this rampant myth that you shouldn't write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet.

Re:Not sure how "secure" this scheme is... (2, Informative)

Library Spoff (582122) | more than 6 years ago | (#21778182)

You're correct, it's not.
Unless the second browser is on a knoppix cd...

Re:Not sure how "secure" this scheme is... (5, Funny)

Anonymous Coward | more than 6 years ago | (#21778236)

Knoppix...what version of Windows is this knoppix thing? I don't understand...

Re:Not sure how "secure" this scheme is... (4, Interesting)

darthflo (1095225) | more than 6 years ago | (#21778250)

That'd help.
Unless somebody really wants your data [thinkgeek.com]

Re:Not sure how "secure" this scheme is... (1)

LiquidCoooled (634315) | more than 6 years ago | (#21778562)

How does that work with my laptop or tablet?

Re:Not sure how "secure" this scheme is... (1)

kalirion (728907) | more than 6 years ago | (#21778844)

So all you need to do is check the keyboard cable for bugs each time you use the computer. That thing is not exactly inconspicuous.

Re:Not sure how "secure" this scheme is... (5, Insightful)

ZombieWomble (893157) | more than 6 years ago | (#21778280)

Well, looking at the article itself (I know, I know, heresy), the point is that there are whole classes of attacks (specifically "Cross Site Request Forgery" attacks, the focus of this article) which require significant effort on the part of websites to defend against, but which are trivially defended against by having users make a point of not accessing secure and insecure sites at the same time.

It's in no way presented as a solution to all security on the internet, but a way of addressing one specific class of problems in a simple manner with a minimum of effort. Unfortunately there's plenty of sufficiently smug people on /. who will continue to repeat this idea in this discussion without even glancing at the article.

Re:Not sure how "secure" this scheme is... (1)

ectoraige (123390) | more than 6 years ago | (#21778300)

Sigh... it's called security in layers.

He is quite clearly talking in the context of XSS and CSRF attacks. His so-called strategy is a reasonable precaution to take in this instance.

Security is not a go/no-go.

Re:Not sure how "secure" this scheme is... (1)

gstoddart (321705) | more than 6 years ago | (#21778304)

How exactly is this strategy going to protect you from a keylogger?

How is someone going to get a keylogger on my FreeBSD box? :-P

Cheers

Re:Not sure how "secure" this scheme is... (1)

darthflo (1095225) | more than 6 years ago | (#21778466)

# pkg_add -r some_ev0l_keylogger, perhaps?

Re:Not sure how "secure" this scheme is... (2)

gstoddart (321705) | more than 6 years ago | (#21778724)

"How is someone going to get a keylogger on my FreeBSD box? :-P"

# pkg_add -r some_ev0l_keylogger, perhaps?

Well, if someone actually gains physical access to my machine without me knowing about it, manages to get past the root password, and install that piece of evil software ... it's really too late for me to worry about it now, isn't it? At that point, I have bigger issues.

On the presumption that there isn't some highly organized, well financed team of people with a strong desire to compromise my system from within my house, I don't guard against such things. A scenario like that falls into a completely different realm, and something I don't consider likely to be an issue.

Most of my international espionage activities is done in my sleep, so I don't have fears of INTERPOL or a crack team based in Langley coming for me . ;-)

Cheers

it's not (1)

circletimessquare (444983) | more than 6 years ago | (#21778320)

all security measures are incomplete. because it doesn't protect against everything doesn't mean it doesn't have value as a wise modus operandi

i have a credit card with a limit of $300 i make online purchases with and small change/ restaurant purchases. that doesn't protect me from someone who gets my driver's license number and my ssn and opens a new card in my name. but it still is a simple easy form of limited protection, just like using this guy using 2 browsers

Re:Not sure how "secure" this scheme is... (0)

Anonymous Coward | more than 6 years ago | (#21778334)

these concept is completely brain dead and affords pretty much no protection - personally I use a separate (older hardware) machine for banking and nothing else.

Re:Not sure how "secure" this scheme is... (0)

Anonymous Coward | more than 6 years ago | (#21778698)

And its not brain dead to do online banking at all when you have already accepted that the internet is dangerous enough to require completely separate hardware for the purpose?

Re:Not sure how "secure" this scheme is... (1, Funny)

Anonymous Coward | more than 6 years ago | (#21778856)

A bit of qualification in case that isn't clear:

You expect your main machine to be compromised, otherwise why not do the banking on that one?
You expect your secondary machine not to be compromised. Why is that? Has it got the dont-hack-me-bro bit set?

Re:Not sure how "secure" this scheme is... (2, Insightful)

Florian Weimer (88405) | more than 6 years ago | (#21778352)

How exactly is this strategy going to protect you from a keylogger?

It protects against CSRF attacks (at least when done properly), which appears to be the only thing the author cares about. It seems to me that a it's just some security outlet trying to gain publicity by referring to a vulnerability that has been documented for over a decade (see RFC 2109, section 4.3.5).

Re:Not sure how "secure" this scheme is... (1)

mebollocks (798866) | more than 6 years ago | (#21778484)

Well that's not in the scope of security as pertains to remote exploits such as the CSRF mentioned in the article. You may as well be asking how this strategy deals with someone burgling his house while on the web with his headphones on he's rocking out to 'super sounds of the seventies'. Good to see you back though Trip, been a while since I saw you round these parts.

Re:Not sure how "secure" this scheme is... (3, Funny)

Jaliyl (1206354) | more than 6 years ago | (#21778526)

I use a similar scheme, I use XP in VMware for shady downloads/torrents and pornsites while my Vista install stays clean.

Re:Not sure how "secure" this scheme is... (1)

bickle (101226) | more than 6 years ago | (#21778796)

Who said it would? There is no single tip that will make your computer completely safe, and the article never implied that it would. This is just a strategy to lessen risk.

Re:Not sure how "secure" this scheme is... (1)

eat here_get gas (907110) | more than 6 years ago | (#21778974)

why even bother with a "promiscuous" browser at all? I prefer my security to be 100% at least 100% of the time.

thats annoying... (3, Interesting)

Kranfer (620510) | more than 6 years ago | (#21778136)

While I do understand what is being said about using two browsers, me personally, I would find that annoying... I only use FireFox... And opening and closing it to open say Opera or IE... that would get annoying after awhile when I know there are products out there that can help protect your data while doing online banking. Speaking of which, I have been doing that since 2000 when I graduated from highschool and ventured into the real world without any issues... How many of you actually use two separate browsers as described here, I am just wondering...

Re:thats annoying... (1)

cheater512 (783349) | more than 6 years ago | (#21778228)

I dont worry too much.
One bowser and I dont take any special actions before using internet banking.

I'm fairly confident that nothing will get my details and even if they do, the bank will handle it and I wont be out of pocket.
Plus I'm using Linux so fat chance a keylogger will get on my system.

Re:thats annoying... (1)

symes (835608) | more than 6 years ago | (#21778356)

How many of you actually use two separate browsers as described here, I am just wondering...
Me. I use IE as my 'promiscuous' browser and Firefox as my safe browser - makes sense to me. But of course, this is not the only means I have of protecting myself but it helps in one important way... It reminds me that I should be careful.

Re:thats annoying... (5, Insightful)

FredFredrickson (1177871) | more than 6 years ago | (#21778676)

I use IE as my 'promiscuous' browser and Firefox as my safe browser - makes sense to me. But of course, this is not the only means I have of protecting myself but it helps in one important way... It reminds me that I should be careful.
That makes as much sense as only wearing the bullet proof vest when you're doing non-dangerous activities.

If anything, I'd do it the other way around. Promiscuous browsing on IE will certainly get you infected (ever open a pron site with IE? I haven't in years, and I don't plan to start now- even if those exploits have been fixed). I explorer is the only browser I can remember that would just let a virus download and install itself while you battled 80 popups. I understand Iexplorer7 is slightly better, but come on- that's what people are targeting, new exploits will come up.

I do things exactly opposite. I use opera for all my browsing, and nothing gets through. Then I load up internet explorer for my online banking. (my bank requires IE). I see no danger in that, because internet explorer is clean when I do it, thanks to the fact I never use it (and I clean my system regularly) with hijack this and pv and what not.

Re:thats annoying... (1)

gstoddart (321705) | more than 6 years ago | (#21778396)

How many of you actually use two separate browsers as described here, I am just wondering...

I have several levels of this.

My FreeBSD box is my primary surfing box, and it's set to be fairly closed, but open enough for most things. A second X-windows session has my completely locked down user and browser which won't accept cookies or non-originating images or any form of script is for the shadier parts of the internet -- or I can run the same browser in a separate profile which is a little more permissive.

A KVM switch away is my XP box, which is fairly restrictive and requires prompting for cookies and runs no-script, but also has flash installed which can be enabled on-demand. For government web sites, or the odd merchant site that I trust that still needs IE, I have IE installed -- but it only gets loaded for a site which I really need, actually trust, and which didn't quite work in Mozilla.

So, at any given time, I might have four different browsers to be used for entirely different things. I'm probably an odd example, I just happen to have the boxes available to run that way.

I don't think the idea of a 'secure' and a 'promiscuous' browser is that uncommon -- and, Mozilla allows more run-time control over what you permit and what you don't.

Cheers

Re:thats annoying... (0)

Anonymous Coward | more than 6 years ago | (#21778726)

browser which won't accept cookies or non-originating images
is this firefox, and how do you do block non-originating images? is there an extension?

i could really use that.

Re:thats annoying... (2, Informative)

gstoddart (321705) | more than 6 years ago | (#21778768)

is this firefox, and how do you do block non-originating images? is there an extension?

i could really use that.

Mozilla. It's probably an older version by now, but the Mozilla browser used to (possibly still does) have a setting which you could specify that only images from the original page would be loaded -- cuts out quite a few ads.

Given Firefox's pedigree, I'd be willing to bet that about:config has some setting which allows this, but I can't say what it might be. Mayhaps some helpful soul will respond and say what the setting would be.

Cheers

Re:thats annoying... (0, Redundant)

hyades1 (1149581) | more than 6 years ago | (#21778460)

Well, not for the reasons described, but my PDA likes Opera, so it makes sense to have it on my PC, too.

Re:thats annoying... (1)

Pope (17780) | more than 6 years ago | (#21778520)

I usually have two browsers open anyway, IE & FF at work, Safari & FF at home. All have their strenghts & weaknesses, so I switch depending on the task. It's hardly a big deal.

That's not extreme. (2)

Anoraknid the Sartor (9334) | more than 6 years ago | (#21778148)

It is just common sense. Doesn't everyone do that?

Re:That's not extreme. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21778216)

>> Doesn't everyone do that?

Does everyone go deep down into paranoia taking painful and mostly useless security measures ? No.

Re:That's not extreme. (1)

Anoraknid the Sartor (9334) | more than 6 years ago | (#21778294)

Gosh if firing up another browser seriously causes you pain, your problems extend rather beyond being trojaned!

Mostly useless, !=useless. 2nd browsers have their place - you can run them with the kind of high security settings that would be a nuisance in a main browser.

Re:That's not extreme. (2, Insightful)

Explodicle (818405) | more than 6 years ago | (#21778326)

You can have both usability AND security... "common sense" is to use a browser with both all the time.

Re:That's not extreme. (1)

Anoraknid the Sartor (9334) | more than 6 years ago | (#21778392)

Nope - sometimes - often - there is a trade-off between usability and security. And when there is, it is worth having one browser tied down tight for banking, and another with looser settings for general browsing.

No-one is denying that setting up a whole separate account and using that ONLY for banking isn't a better option, but running a browser in "anal retentive" mode has its place.

Better secure browsing (3, Interesting)

John Jamieson (890438) | more than 6 years ago | (#21778160)

For more secure browsing and ebanking(at our house), we keep knoppix cd and dvd's beside our computers and boot with that.

Another way (1)

morgan_greywolf (835522) | more than 6 years ago | (#21778164)

Another way to get the same effect would be use the multiple profiles feature of Firefox. Have one 'promiscuous' profile and one 'safe' profile.

Re:Another way (0)

Anonymous Coward | more than 6 years ago | (#21778348)

Another way to get the same effect would be use the multiple profiles feature of Firefox. Have one 'promiscuous' profile and one 'safe' profile.
I've tried this a couple of years ago, but there was some annoying leakage between profiles.

I use Epiphany for banking, webmail etc. and Firefox for "fun" surfing. For a while I also tried to use different profiles for Epiphany, because I prefer it's interface, but there was a small leakage between profiles on this browser too and many websites didn't work as good as on Firefox (it seems that it's not enough to use the same rendering engine).

Re:Another way (1)

morgan_greywolf (835522) | more than 6 years ago | (#21778398)

I've tried this a couple of years ago, but there was some annoying leakage between profiles.
I must say I've not encountered this. Could you be more specific about this 'leakage'?

Frist Psot (1)

lennyhell (869433) | more than 6 years ago | (#21778170)

LoL

This is silly! (3, Insightful)

RenHoek (101570) | more than 6 years ago | (#21778184)

The article is silly. I mean most exploits are going to have a trojan running on your machine via exploits, usually with keylogging and other nasty tricks. The only thing you can stop with two browsers is the spread of cookies or activex plugins tied to your browser. The rest are going to be active regardless and will be collecting information no matter what program you are using.

The only way to be safe is to use an up-to-date browser, (and lets say anything not-IE). And if you have Firefox, look into AdblockPlus, and NoScript. If you don't want cookies to bother you, set them to this-session-only. And lastly, Firefox has a lovely "Clear private data when closing Firefox" option if you want it.

Me too (0)

Anonymous Coward | more than 6 years ago | (#21778188)

Firefox with noscript and such is my promiscious browser. I do a lot of work stuff and read some news sites (msnbc.com) with IE. I have done this for a long time and it works great. I'm not sure how much more secure it is but I do like the setup.

Key logger (1)

isa-kuruption (317695) | more than 6 years ago | (#21778194)

That only works under the promiscuous browser brings home a little key logger and shares it with the rest of the apps on the system. Then your little "secure browser" isn't really that secure, now is it?

Of course, there are ways to protect your machine from such things, like one of those anti-virus / internet security suite... but then using such a thing would also get rid of that requirement of having to use two separate browsers. And we certainly don't want our friends to think we're uncool by only using one browser!

"Promiscuous" Browser (2, Funny)

aquatone282 (905179) | more than 6 years ago | (#21778196)

Hell, mine's a slut.

But then, so am I.

Re:"Promiscuous" Browser (0)

Anonymous Coward | more than 6 years ago | (#21778354)

You aren't promiscuous if you're having sex with yourself. Well, maybe if you have a dissociative identity disorder.

Re:"Promiscuous" Browser (0)

Anonymous Coward | more than 6 years ago | (#21778584)

A/S/L?

Why not use a virtual machine? (1)

krenaud (1058876) | more than 6 years ago | (#21778206)

The best way to protect oneself without using multiple computers is using a Virtual Machine for "promiscuous browsing" I would think.

Mis-understanding.... (1)

Capt James McCarthy (860294) | more than 6 years ago | (#21778218)

If you have an 'exteramly secure' browser, why would you want to use an unsecure one? I think a better idea is to find a balance between security and functionality. I know I've heard that somewhere a few million times.

Because most of the web doesn't work otherwise (1)

Overzeetop (214511) | more than 6 years ago | (#21778696)

If you have a truly secure browser, that tends to break most modern web coding. Try surfing without flash for a while, for example. You'll find much of the web out of reach, and some major commercial sites entirely inaccessible.

I surf in a virtual PC (1)

siyavash (677724) | more than 6 years ago | (#21778238)

I know it doesn't fit the average guy out there but I do my "random" browsing in a Virtual PC, then I got very few sites like my bank in my host machine which I use.

Re:I surf in a virtual PC (1)

emj (15659) | more than 6 years ago | (#21778260)

You trust your bank, ha!

That's nothing (5, Funny)

east coast (590680) | more than 6 years ago | (#21778242)

I browse the web via correspondence.

That's right. I snail mail the institutions for the answers I seek and they write me back after looking it up on the web.

Even this post was done via correspondence. I mailed this letter to CmdrTaco a couple of days back and let him know to post my thoughts on the matter when the article hit the front page.

Re:That's nothing (5, Funny)

polar red (215081) | more than 6 years ago | (#21778544)

Doesn't protect you from the man-in-the-middle attack though ...

The only way to do your banking safe (3, Funny)

emj (15659) | more than 6 years ago | (#21778246)

Only use a separate computer for banking, shouldn't be connected to any network. Preferably all I/O ports should be fit with epoxy, especially the keyboard.. A large faraday cage over the monitor to prevent Van Eck [slashdot.org] as well.

But I might be paranoid.

I already do something like this (1)

Saint Aardvark (159009) | more than 6 years ago | (#21778256)

I've got two profiles for Firefox: one for everyday stuff, and one for banking. Originally I'd done this because the banks all seemed to require Javascript, and I simply don't leave that on (I hate dancing baloney on websites, and a lot of the time it's just used to serve ads anyhow). Nowadays I use NoScript [noscript.net] to turn on JavaScript when I want to, but I still do all the banking stuff in a separate profile.

I did read an interview with a security researcher recently (sorry, can't dig up the link) who said that he used a separate browser in a separate VM for his banking. I suppose you could be even more safe by using a Knoppix CD and avoiding your usual OS altogether.

ArticleSummary.Equals(TFA) = True (2, Insightful)

TGhostH (965525) | more than 6 years ago | (#21778262)

Not much content there...

Am I living under a rock because I have never heard of Cross Site Request Forgery?

Is it known by a different name?

built into IE since v4 (2, Informative)

sh0rtie (455432) | more than 6 years ago | (#21778274)

they are called "zones" [microsoft.com] put sites you trust in "trusted sites" and once you dont in "restricted" you can configure each of the zones (there are 5 but only 4 visible [microsoft.com] ) security settings to however paranoid or trusting you are of the sites you visit, each setting is independent eg turn off script on normal internet surfing but only allowing certain sites to use

IE security goes up to five .. :) (1)

rs232 (849320) | more than 6 years ago | (#21778808)

"they are called "zones" .. there are 5 but only 4 visible) .."

Why don't you just make four more secure and make four be the top number and make that a little more secure .."

Quote ..

Nigel: ...the numbers all go to eleven. Look...right across the board.

Marty: Ahh...oh, I see....

..

Marty: Why don't you just make ten louder and make ten be the top... number... and make that a little louder?

Nigel: These go to eleven [csoonline.com] .

Secure browsing for the paranoid: (1)

MMC Monster (602931) | more than 6 years ago | (#21778276)

Boot up a live CD (with the MD5 sum confirmed on 2 separate PCs) and only use the live CD's Firefox browser.

Just hope that no one injected a keylogger onto the live CD and remembered to change the MD5 sum as well...

Re:Secure browsing for the paranoid: (0)

Anonymous Coward | more than 6 years ago | (#21778546)

Re:Secure browsing for the paranoid: (1)

Raineer (1002750) | more than 6 years ago | (#21778816)

Boot up a live CD (with the MD5 sum confirmed on 2 separate PCs) and only use the live CD's Firefox browser.

Just hope that no one injected a keylogger onto the live CD and remembered to change the MD5 sum as well...
That sure is some paranoid browsing...

This news is incomplete (3, Insightful)

Janos421 (1136335) | more than 6 years ago | (#21778302)

Well the news is not well reported. This tip aims to protect against "Cross Site Request Forgery (CSRF)--considered one of the most insidious but least appreciated threats in application security". So clearly it does not pretend to address key-logger issues

For sure, in this context, the tip is quite effective.

i do something similar (1)

FudRucker (866063) | more than 6 years ago | (#21778328)

i use Firefox with NoScript for general purpose browsing, and Seamonkey for only trusted websites where i make financial transactions on a Linux powered PC...

no windows for me thanks, they break too easy...

Re:i do something similar (1)

HangingChad (677530) | more than 6 years ago | (#21778760)

i use Firefox with NoScript for general purpose browsing

That's what I'm doing. Firefox with NoScript on Linux. I never access secure systems from a Windows box.

It may be a false sense of security but so are anti-virus programs [heise-security.co.uk] . Every Windows machine I've ever cleaned had some type anti-virus program running, many with up to date signatures.

Only as strong as the weakest link (3, Insightful)

eli pabst (948845) | more than 6 years ago | (#21778330)

This is akin to putting a 5 inch thick steel door on the front of your house and unlocked screen door on the back. Once the "weaker" browser is compromised, generally at the very least it's going to allow user-level execution, so an attacker could modify the settings on the "secure" browser or insert a keystroke logger.

That's not all that secure (3, Interesting)

Nimey (114278) | more than 6 years ago | (#21778362)

If you want *secure*, you can boot the anonym.os LiveCD, which, while a bit out-of-date, has some good anonymization tools as well.

Or, as others have suggested, a dedicated virtual machine which can revert its state at shutdown, so you know there won't be any nasties lurking even in the sandbox.

Why? (1)

RAMMS+EIN (578166) | more than 6 years ago | (#21778364)

Questions that pop up in my mind at this point are:

  - Does using multiple browsers as described actually do anything for security?
  - Why?
  - Is it supposed to be that way?
  - Shouldn't we be secure using just one browser?

Re:Why? (1)

Anoraknid the Sartor (9334) | more than 6 years ago | (#21778734)

You haven't actually stated any "facts"....

Does he wash his hands in between? (1)

mi (197448) | more than 6 years ago | (#21778378)

Just in case?

"Better safe than sorry," — murmured the abbess rolling a condom over a candle.

we have no secrets (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21778386)

we tell each other everything, about the lovers in our past & why they didn't last.

thank you carly.

in the end, the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. think carefully, about ALL of yOUR other 'options'.

for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it?

we're intending for the nazis to give up/fail even further, in attempting to control the 'weather'.

http://video.google.com/videosearch?hl=en&q=video+cloud+spraying [google.com]

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US;

gov. bush denies health care for the little ones

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html [cnn.com]

whilst demanding/extorting billions to paint more targets on the bigger kids

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html [cnn.com]

all is not lost/forgotten/forgiven

whilst (yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece [timesonline.co.uk]

still making his views known worldwide, whilst many of US keep yOUR heads firmly lodged in the silicon sand hoping (against overwhelming information to the contrary) that the party LIEn scriptdead pr ?firm? fairytail hypenosys scenario will never end.

for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available after the big flash occurs.

'vote' with (what's left in) yOUR wallet. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

Trying to Think This Through... (2, Insightful)

SixFactor (1052912) | more than 6 years ago | (#21778418)

Interesting countermeasure against CSRFs. I can just imagine Mr. Grossman not quite referring to IE (the promiscuous one) vs. Firefox (the safe one).

Given the above and operating conditions being equal (with use of solid anti-virus and firewall measures), it seems to me that if a well-designed browser was used in the first place, then there would not be a need for a "promiscuous" browser. In fact, wouldn't the use of a "promiscuous" browser increase a user's risk when conducting, uh, questionable activities? End result (cue alarming music here): the box gets compromised, and it doesn't matter if a safe browser was used for banking, etc., something nasty now lives in the box.

Continuing the FF vs IE model, if FF was designated for promiscuous activity, then the user is arguably better protected. So that leaves us with IE as the "safe" browser? The mind reels.

I know there are alternatives (Opera, Konq, etc.), but presumably Mr. Grossman is addressing mostly Windows users.

Re:Trying to Think This Through... (1)

Anoraknid the Sartor (9334) | more than 6 years ago | (#21778868)

You can never guarantee that any browser is proof against cross site scripting attacks. Generally, yes - using the "stronger" browser as the "promiscuous" browser probably does make sense - it is less likely to have problems that will compromise your system - and use the "weaker" browser ONLY for banking (where one trusts the site more than say - the average porn site.)

Of course this only assists with one group of attacks. So talk of key loggers is beside the point.

IE is probably safe(ish) if you only use it on trusted sites. (The same way having unprotected sex is "safe" if it is with trusted people whose sexual history you believe is unproblematic)

Of course ideally you would use two non-I.E browsers. Opera runs on Windows.

Extremed INsecurty web browsing (1, Funny)

swillden (191260) | more than 6 years ago | (#21778422)

The fool is using the same computer to go to both important and random web sites! And he's probably using Windows, too!

If you care at all about security, you create a separate virtual machine for every web site you visit, and you only go to your banking site with an up-to-the-second-patched copy of lynx running on an obscure OS and platform, like OpenVMS running on DEC Alpha hardware, for example.

If you *really* care about security, you use telnet on an OS you wrote yourself. And you carefully scrutinize every line of the telnet code and TCP stack for security flaws.

Re:Extremed INsecurty web browsing (1)

Doctor-Optimal (975263) | more than 6 years ago | (#21778748)

TELNET?!?

Re:Extremed INsecurty web browsing (1)

Anoraknid the Sartor (9334) | more than 6 years ago | (#21778930)

Actually a separate virtual machine just for banking is pretty trivial to set up, and probably fairly secure with a decent browser. Multiple virtual machines are just a matter of disk space.

Chroot jails (0)

Anonymous Coward | more than 6 years ago | (#21778482)

Once upon a time I wanted to run my browsers in chroot jails but it was a pain and perhaps not all that secure. So now I have multiple 'anon' user accounts to run various browser versions. My primary browser has javascript (and of course java) disabled. My java and javascript enabled browsers run on a separate machine. Lots of adblocking and (in some cases) cookie denying. Simple scripts start/kill those browsers and purge user data, etc.

Not great security but it should be a benefit. As for 'extreme', please........

So how many folks run their browser under their primary UID?

'Extreme Safety' driving (5, Funny)

MagicM (85041) | more than 6 years ago | (#21778490)

I do the same thing when I have to go somewhere. I have two cars, one that's reliable, and one rusty piece of crap that's ready to fall apart any minute. When I need to go somewhere important, I take my reliable car so I know I won't die before I get there. When I just need to take a quick trip to the grocery store, I take my junk car and just cross my fingers.

This plan isn't that crazy (1)

grolaw (670747) | more than 6 years ago | (#21778530)

I use Camino - set to the highest security and to dump history and cache for just two uses: business banking and court filing. As a lawyer I take reasonable steps to protect my clients - nobody can predict every potential criminal act. I use the Mac's Filevault protection on all of my computers and every systems' password is greater than 20 characters.

It isn't absolute security - but it is a hell of a lot more than most of my colleagues use.

Dumbest Thing I Have Ever Heard (2, Insightful)

fsda (1190519) | more than 6 years ago | (#21778568)

This guy is a "Security Researcher"? Let me get this straight. You have 2 browsers, one insecure, one secure. On the insecure you do your daily stuff, on the secure you do your banking. Ok. Say your insecure browser gets compromised due to a vulnerability that is not yet patched or there is no patch for. Some of the browser vulnerabilites allow for full system control. Then what? Your whole system is now FUBAR. So there goes your "secure" browser. 15 year olds have more security sense then this guy.

Isn't Internet Security really an oxymoron? (1)

SuperCharlie (1068072) | more than 6 years ago | (#21778570)

Really.. we can bubble gum and tape this thing, open 5 browsers and set up firewalls till the cows come home, but when you have no control over the network, you are always at the mercy of the first hop.

IMHO, anyone who thinks there is Internet Security is deluding themselves. If its that important, walk away from the computer man..

LiveCD?? (0)

Anonymous Coward | more than 6 years ago | (#21778588)

If you want to be safe online do away with your hard disk and run a LiveCD.

Promiscious and Prudish? (1)

Saint Stephen (19450) | more than 6 years ago | (#21778596)

Why not just call them IE and Firefox? Why beat around the bush?

Better idea would be... (1)

Antony-Kyre (807195) | more than 6 years ago | (#21778600)

to simply have a spare computer to do all things secure. A cheap, old computer should do it. Just do format then fresh install of your OS, and only use it for banking, paying bills, etc.

I do exactly the opposite. (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21778626)

When Grossman wants to do online banking, he closes his promiscous browser, opens the more prudish one, and does only what he has to do before closing it

I do exactly the opposite.

I use my paranoid-secure browser when I visit random sites (like clicking on Google results), which constitutes the vast majority of my browsing.

I use my "insecure" browser to give me more functionality when I visit sites that I trust the most. (Actually, I am sometimes forced to use my "insecure" browser in this case because the site might require me to enable JavaScript (or whatever) in order to log in.)

I think it's fascinating that he does just the opposite of me, and he somehow thinks that it's "more secure".

Consider using virtualization? (0)

Anonymous Coward | more than 6 years ago | (#21778630)

Personally I keep a secure virtual machine in a suspended state, running Firefox, for when I need to do some online banking or other security critical/high paranoia tasks. It takes only a few seconds to unfreeze the VM and with modern software like Xen [trinamo-solutions.com] , there is very little cost (performance wise or $$$) associated with this method.

AG

confusing web security with girl-friend security (5, Insightful)

oni (41625) | more than 6 years ago | (#21778632)

What he's describing is not a way of keeping your computer safe, it's a way of hiding porn from your girlfriend. You use some browser that she's never heard of for all your illicit surfing. Then, she fires up your computer and starts running IE, she looks in your history and sees slashdot and CNN or whatever and doesn't think you're a pervert (which you are).

It's also a good idea to have "honeypot porn" which is basically, a few very innocuous sites that you vist in IE that you intentionally want her to find - because once she starts looking, she's going to keep looking until she finds something. Best to give her something to find. Let her think you go to maxim.com or something.

Re:confusing web security with girl-friend securit (1)

SuperCharlie (1068072) | more than 6 years ago | (#21778672)

Raises hand.. guilty.. (thank you Opera)

Re:confusing web security with girl-friend securit (3, Interesting)

stewbacca (1033764) | more than 6 years ago | (#21778954)

Wow. Sounds like you put a lot of personal perspective into your post. My wife goes for more porn online than I do by a long-shot, so I don't worry about my browser history too much.

Use Opera (0, Troll)

cyofee (975070) | more than 6 years ago | (#21778646)

Use Opera. Most secure, fastest, and best features.

another way (0)

Anonymous Coward | more than 6 years ago | (#21778680)

I do it the other way around, and with just one browser. When browsing "promiscous" material, I start Firefox with the "-profilemanager" attribute, and use another FF profile (named "prn", for no particular reason). In this profile, JavaScript, Java and cookies are disabled. Besides protecting me from the dangers of the Internet, this has the advantage of my promiscous browsing staying a secret from curious family members.

Lynx (1)

ehaggis (879721) | more than 6 years ago | (#21778826)

Lynx - The only way to browse!

That's a stupid approach (1)

c0d3h4x0r (604141) | more than 6 years ago | (#21778854)

Just run all internet-facing software under a restricted set of user rights. Two years ago I changed all my browser and messenger shortcuts to launch using the handy little DropMyRights utility [editme.com] . Result? I haven't caught anything from a malformed web page or IM attack in all that time -- even with running everything else under my normal administrator-class account. (This is on WinXP Pro SP2).

Which browsers are they? (1)

NPN_Transistor (844657) | more than 6 years ago | (#21778866)

The article doesn't mention what the "promiscuous" and "safe" browsers are. IE and Firefox? Firefox and Torpark? Opera? What are your suggestions for a "safe" browser?

foo (1)

Grampaw Willie (631616) | more than 6 years ago | (#21778914)

foo, the promiscuous browser will pick up a rat .

and the rat takes up residence in your computer and waits till you open yer prude browser and log onto your bank

and then he pays his rat account

the only way to prevent rats from conducting their mischief is to PREVENT ALL UNAUTHORIZED PROGRAMMING

NO SIGNATURE? NO EXECUTE.

all programming will have to have PGP signatures, every fragment, no matter how samll. If it's executable it has to be signed oir else it goes in the garbage.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>