What is it?
‘Browser hardening’ refers to ways in which we can tweak our web browser’s settings, with the goal of enhancing its security and privacy.
What does it involve?
A great starting point is exploring your browser’s settings page and making some adjustments. You can add to this by installing and configuring plug-ins. More advanced options exist ‘under the hood’ of most browsers, for example Firefox’s about:config page. Let’s explore why you might choose to do this and explain some changes that can be made.
Why is this important?
This is something that should be receiving extra attention, especially because of the increased number of people working from home due to the coronavirus pandemic. Employees may find themselves using laptops that may not have been configured as securely as possible, due to time restraints, or BYOD (Bring Your Own Device) laptops that have never been protected by Internal IT.
Why is this a problem?
A web browser needs to be versatile and is designed to be quite ‘open’ and ‘loose’, allowing most websites to work for the greatest number of people. By only enabling the features needed, instead of having everything enabled by default, can offer the user more protection.
The upcoming tweaks can be applied to most modern web browsers. I recommend Firefox, as I believe it is vastly more privacy focussed than Chrome. Firefox is completely open source and developed by Mozilla, a non-profit organisation. In contrast is Google’s Chrome, which is proprietary and has rich data collection rooted in the core of its business model.
Maintaining privacy online is important and a desirable goal is to limit the amount of unnecessary information being sent to 3rd parties. Most of this information will be metadata, e.g. IP addresses visited and HTTP referrers. Although metadata does not contain the content of what you are viewing, it can still be quite revealing, particularly when aggregated and correlated.
Providing additional data when it’s not required should be done with caution. Not all fields in a webform may be mandatory! Remember, you do not need to secure what you do not disclose.
- Always ask where to save files
This can help prevent some drive-by download attacks. We have been aware of attacks over several years whereby users visiting websites may have files automatically downloaded without the user being aware. Having the browser prompt users where to store the file helps to mitigate this issue.
- Change the default search engine
Using any of Google’s products submits a wealth of metadata to them, such as: operating system, IP address, search terms, location and browsing history, to name but a few. This is especially true using the Chrome browser whilst signed in to Google. Surely this is information best kept private?
An alternative search engine such as DuckDuckGo greatly reduces the amount of information disclosure, whilst maintaining an acceptable quality of search results for general browsing.
- uBlock Origin
uBlock Origin blocks adverts, pop-ups, trackers and remote fonts. Other blockers are also available.
‘Malvertising’ is a method of delivering malware that could infect your computer when interacting with an advert on a website without your knowledge. A blocker such as uBlock can help protect against this via advert blocking, and thus reducing the risk of interacting with malicious website.
Malvertising can take hold by using invisible tracking scripts, pixel trackers, 3rd party cookies and fingerprinters, all of which are means of obtaining often sensitive, information about the device, web browsing activity and the user. Once obtained, this can be sent back to 3rd parties to whom you did not consent to obtain this information.
Preventing these trackers, scripts, and adverts from loading is not only beneficial for security and privacy, it can reduce the strain on your Internet connection too. For example, browsing to https://www.cnn.comwithout uBlock Origin installed, shows 12MB of data being downloaded with 255 connection requests being made to numerous advertisement delivery platforms and 3rd parties. With uBlock enabled, these figures are cut to 6MB and 90 requests, in turn speeding up your web browsing experience!
It’s not uncommon for us to receive alerts regarding customers accessing questionable websites, such as gambling sites. These are typically generated through a user visiting an innocent web page, such as a news site, which in turn then calls out to an advert provider, loading in an advert to the browser. In this instance, customers running an ad blocker could help themselves generate less of these alerts.
The use of plug-ins can be a balancing act, as more plug-ins installed in the browser, the more unique it becomes online. In some cases, this can enable more effective fingerprinting, but offset with privacy and malware protection, it may be worth considering. You can test your browser’s ability to protect against Malvertising here https://panopticlick.eff.org/.
Getting Technical: Under the Hood
The following modifications can be made by entering about:config in the Firefox address bar and adjusting the following parameters and values. Other browsers such as Safari have similar features listed in Preferences, Privacy.
- enabled = false
- Wi-Fi routers closest to you
- strength of Wi-Fi or cellular signal
- IP address
- user agent information
- unique identifier of your client
Changing the value to false prevents this disclosure. Interestingly, location determination through visible access points was made possible when Google deployed its Street View cars. As well as capturing images they also harvested a global database of public SSIDs.
- dns.disablePrefetchFromHTTPS = true
- dns.disablePrefetch = true
Research has shown that by allowing DNS prefetching, in any browser, it is possible for a determined attacker to reverse engineer the search terms used in an online search. This is done by either accessing DNS BIND logs directly or remotely snooping on the victim’s cache. Prefetching is almost always on by default. The only downside of disabling it is a slight increase in page load times.
- peerconnection.enabled = false
WebRTC was traditionally used to support voice and video calling directly within the browser without needing plug-ins. More recently it has seen adoption by content delivery network (CDN) providers such as Akamai. To facilitate this functionality, requests are made to STUN servers, which reveals the user’s real, deanonymized and public IP address, even if they are using a VPN. This means a user’s true IP address can be revealed to any website that issues theses request to the user’s browser.
Marketers and tracking companies can utilise this flaw to gather your real information. This could be particularly effective if used in a phishing attack.
Google’s Chrome browser is the only major browser in which WebRTC cannot be disabled via the settings.
For more information on web security, or for options for safe Internet browsing, please contact our technical team here at Sapphire.
Author: Shane Hall, Security Consultant, Sapphire