Financial Cryptography Update: Revising Top Tip #2 – Use another browser!

Posted: April 1, 2011 in Uncategorized

> DGCMP wrote, On 03/30/2011 06:24 PM:
>
>> http://blogs.computerworld.com/18021/iran_linked_to_attack_fraudulent_ssl_certs_targeting_google_skype_yahoo
>>
>> https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
>
>
> A long time ago I deleted *all* root CAs from Firefox, so I have to
> trust each new certificate individually. It can be annoying on
> occasion, but I still like it. I also installed CertPatrol recently.

Financial Cryptography Update: Revising Top Tip #2 – Use another browser!

March 30, 2011

————————————————————————

https://financialcryptography.com/mt/archives/001309.html

————————————————————————

It’s been a long time since I wrote up my Security Top Tips, and things
have changed a bit since then. Here’s an update.

Since then, browsing threats have got a fair bit worse. Although
browsers have done some work to improve things, their overall efforts
have not really resulted in any impact on the threats. Worse, we are
now seeing MITBs being experimented with, and many more attackers get
in on the act.

To cope with this heightened risk to our personal node, I experimented
a lot with using private browsing, cache clearing, separate accounts
and so forth, and finally hit on a fairly easy method: Use another
browser.

That is, use something other than the browser that one uses for
browsing. I use Firefox for general stuff, and for a long time I’ve
been worried that it doesn’t really do enough in the battle for my user
security. Safari is also loaded on my machine (thanks to Top Tip #1).
I don’t really like using it, as its interface is a little bit weaker
than Firefox (especially the SSL visibility) … but in this role it
does very well.

So for some time now, for all my online banking and similar usage, I
have been using Safari. These are my actions:

<li> I start Safari up
<li> click on Safari / Private Browsing
<li> use google or memory to find the bank
<li> inspect the URL and head in.
<li> After my banking session I shut down Safari.

I don’t use bookmarks, because that’s an easy place for an trojan to
look (I’m not entirely sure of that technique but it seems like an
obvious hint).

“Use another browser” creates an ideal barrier between a browsing
browser and a security browser, and Safari works pretty well in that
role. It’s like an air gap, or an app gap, if you like. If you are on
Microsoft, you could do the same thing using IE and Firefox, or you
could download Chrome.

I’ve also tested it on my family … and it is by far the easiest thing
to tell them. They get it! Assume your browsing habits are risky, and
don’t infect your banking. This works well because my family share
their computers with kids, and the kids have all been instructed not to
use Safari. They get it too! They don’t follow the logic, but they do
follow the tool name.

What says the popular vote? Try it and let me know. I’d be interested
to hear of any cross-browser threats, as well 🙂

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s