Modern browsers are more than programs used to peruse the web. Browsers are tools used to communicate, develop, conduct financial transactions, and interact with government agencies.

This week we will discuss browser security, and how it can impact website security. As a website is the portal to a company’s online presence and resources, a browser is the entryway into a user’s workstation computer and the data within.

Just How Important Is Browser Security?

The link between browser security and website security is not conflated. Here at SiteLock, we’ve seen many sites compromised through stolen FTP credentials, and entire company file stores lost to ransomware.

Browsers were the likely point of entry of these compromises.  Every website owner and web developer is sure to use a browser, most likely multiple browsers, to access the website hosting or accessing site files and credentials.  Again, the browser is the portal from the open web to the workstation.   Below, we’ll cover the steps necessary to better secure this entry point.

 

Steps To Better Browser Security

Our discussion will cover Mozilla Firefox and Google Chrome, though the steps also apply to other browsers like Microsoft Edge and Opera.

 

browser security - Chrome and Firefox

Chrome and Firefox

 

Keep Your Browser Updated

The first step to better browser security is to have the latest browser. Updating your browser:

  • adds features
  • improves performance
  • applies the latest security patches

Like updating an operating system to plug security holes on your computer, updating your browser plugs the holes that malicious sites use to gain a foothold into the workstation. Both browsers listed above update automatically.  To check for the latest version of both Firefox and Chrome manually, click the hamburger menu in the upper right corner, then select About Firefox or About Google Chrome from the help menu.

 

Get Rid Of Vulnerable Browser Extensions

Java

Next, disable or uninstall vulnerable plugins, and by that we mean Java. Java is little used and both Google Chrome and Mozilla Firefox now disable Java by default.  Unless you have a specific application where Java is necessary, we recommend uninstalling it completely.

Adobe Flash

Talking updates and plugins, we have to talk about Adobe Flash. Until the HTML5 adoption is more complete, Flash is a fairly necessary plugin for a full, rich web experience. The huge downside is that Flash has been the target of numerous malware campaigns, including the sale of Flash exploits to government agencies. [3] Though browsers have done much to limit Flash’s negative impacts, it’s still imperative to keep Flash up to date in order to keep your browser secure. Chrome uses a built-in version of Flash which is updated with the browser. For Firefox, go to adobe.com/software/flash/about to make sure you have the latest version.

 

Flash extension version information

Flash Version Page

Install Browser Security Extensions

Next, we have two extensions to install to increase browser security, HTTPS Everywhere and uBlock Origin. HTTPS Everywhere from the EFF changes unencrypted requests to encrypted requests for sites that support it, encrypting requests when they’re not explicitly requested and protecting the data in transit from prying eyes.

uBlock Origin may be slightly controversial as many sites rely on ads for revenue. The cold truth of the internet is that ads have been used for attacks for years and won’t likely stop any time soon. To cite two specific examples, rogue advertisements have been slipped onto both the New York Times website and into Yahoo’s ad network.  Installing uBlock Origin blocks ads outright, malicious or otherwise, reducing a large attack surface and probably some eye strain as well.

There are two more Firefox-only extensions that power users may be interested in to increase browser security, RequestPolicy Continued and NoScript. RequestPolicy blocks cross-site requests by default, which are requests a website you are visiting makes to other sites, and only allows them when specifically whitelisted by the user. This reduces the danger of cross-site request forgery (CSRF) and clickjacking attacks, which is where an action is carried out as the user on another site without the user’s knowledge.

NoScript blocks JavaScript and other plugins from running on sites by default and, like RequestPolicy, only allows them to run when explicitly allowed by the user. Both NoScript and RequestPolicy require the user to manually create lists of approved sites and requests, which may be unwieldy for some users. If browser security is that critical, it may be worthwhile to boot Linux and browse that way.

Develop Secure Browsing Habits

The last and most important component of browser security is browsing habits. Secure browsing habits include

  • visiting reputable websites
  • bookmarking important sites like banking and email services
  • not saving passwords in the browser
  • not installing unknown plugins or extensions

Being cognizant of browser usage habits helps to close the last hole of browser security, user clicks.

Improving browser security hardens the defenses of the doorway into your computer. A secure browser helps protect the sensitive data — your site data — on your computer just as the TrueShield web application firewall and the INFINITY website scanning solution protect your site.  You can learn more by visiting sitelock.com.