Recent Changes - Search:

DuaneFKing.Com

Projects

Social

edit SideBar

SecureBrowsers

Preamble

Web Browsers are the new core interface to a computer these days. The problem is this ability to render content is fast being abused by bad actors who find ways to make money by harming the average user.

In any security situation you must consider the priorities of the groups involved. For this page, I consider the needs of the user as the highest priority as I consider that both the most ethical and the most profitable for all sides. As a result I am a firm supporter of ad-blockers in every form as a means to combat Malvertising and other forms of advertising that directly attack, track, or harm the user or their systems.

Ad-Blocking can be a contentious issue for people who may not understand the 3 sides of the issue. Yes, there are 3 sides to every coin. The heads and tails part everybody see's, and the edge that nobody remembers exists until somebody on the internet posts a video of a coin landing on its side and successfully staying there.

The common argument against Ad Blocking seems to be that the people who run ads on their websites depend on that revenue to make money and keep the site up because they have no other options. This is the core of every argument that I have heard in support of ad blocking and while others exist I often just hear them as re-phrasings of this single argument. The thing is, that is never true because while the operators of the website may not know it, other options do exist. After all, subscription services exist for pretty much everything these days. That stated, the fact remains that most people who do run ads on their websites as a form of revenue generation do this simply because its the lowest form of effort required.

Yet its is a very large logical fallacy to suggest that just because I may trust the website that I am currently visiting, that I also trust everybody they use or support through the ad networks networks they are connected to. Just because I trust the single website I am visiting does NOT mean I also trust the ad networks they use, or the advertisers that use these advertising networks, or the people these third parties themselves support. I may even want to support the website I am visiting, or even just a single person posting content on it if I have a favorite author or content creator, but that does not mean I also support the ad network used, their customers, or the people they themselves support. In fact, in most cases I really don't support any of these extra groups and wish I could limit my support to just the people I want to support, not all the extra leeches that have built themselves into the system to distract from the things I myself as a user love and support.

I also firmly believe in the freedom of speech aspect. You may be free to say what you like, but I'm also free to plug my ears and not listen to it if I so choose. Ad-Blocking helps me do that when I get tired of listening about that celebrity the news wont stop talking about, or that political debate between all of the politicians I hate is advertised everywhere, and stops me from being targeted with ads for things I would love to buy but cant afford because I want to be a successful, responsible adult that spends his money wisely and can afford to pay his mortgage and take care of his family. Blocking ads is just one of the tools I have as a responsible adult who wants to be a valuable and self sufficient member of society in making sure that all the tools at the modern advertisers disposal for taking my money from me - Machine Learning, Data Mining, Statistics, Predictive Analytics, and all the other aspects of what my profession simply calls "Data Science" - wont be used against my best interests.

You also have to take into consideration that my anti-fraud and information security training and experience suggests that terrorism, human trafficking and much worse are also funded in this way through less then ethical adverting networks that resell or buy space from more legitimate ad networks in order to increase their distribution and make more profits to feed the evil beasts that run them. As a user, as a decent human being with human rights who supports human rights, I must have the option of standing up to forced slavery, forced child prostitution, terrorism, illicit debt, attacks on innocent women and children, and worse. Blocking ads and being able to block ads that may be funding these terrible tragedies is just one simple way I can do that and by doing so, make the world a better and safer place.

Secure Browser Wish List.

But outside of strict ad blocking, here are some things I want to see in a "Secure" Browser.

If the user wants to disable it let them do so.
Them when they load the browser the first time that its enabled and give them the opportunity to turn it off at that time so the marketing and legal people are happy that the user got a choice.
But let the defaults be secure.
If the user wants to disable it let them do so.
Them when they load the browser the first time that its enabled and give them the opportunity to turn it off at that time so the marketing and legal people are happy that the user got a choice.
But let the defaults be secure.
  • The web browser should read its settings ONCE from disk on startup.
Chrome loved to read its settings constantly creating more disk usage than was needd that led to burned out hardware. People with solid state drives back in the day HATED this.
  • If a web browsers settings are updated then it should write them back to disk only ONCE.
For over 10 years Chrome and other browsers updated their settings to disk every 15 seconds or so.. creating constant disk load. This destroyed hardware from constant overheating and use, and that is not considered secure in my book. I can no longer find the bug that was open for over 10 years due to this and Google seems to have scrubbed any data on it from the public record when I so my usual casual search on this issue looking for the link to add here.
  • The web browser should do its best to cache data in RAM and not use the DISK at all if RAM is available.
Let the user configure how much RAM is used for this out of the available system RAM detected before using the disk.
Give the user the option of never using the disk if that is what they want.
Chrome for example does not make use of my systems 32GB of ram and instead thrashes the disk and causes my entire system to slow down.
So I no longer use Chrome.
I do not know of a SINGLE browser that does this.
On delete/browser exit overwrite the data with zeros or random garbage, then delete.
Let the user decide.
The United States Federal Government gives excellent guidelines on this in NIST.SP.800-88r1
This could literally save lives in countries where fighting corrupt governments and warlords is illegal and enforced with death squads.
  • Cookies and data saved from web pages should be automatically and securely deleted when the browser is closed.
Better yet only hold it in memory.
Same restrictions as all other data at rest.
People fighting terrorism and human trafficking have sadly been executed when found out from their browsing history that they would fighting these evils.
  • In general a browser should protect a person privacy as much as possible in order to be considered "secure".
  • The ability to detect that the user is running an advertisement blocker is to me a security threat.
  • A web browsers certificate storage repository for x509 encrypted Certificates should never contain keys known to be insecure by the information security community at large. Period.
Revocation should be a harder hitting and more used thing, since it exists and is build into the formal spec that defines the design for these things. Thus, a process exists that allows it to stay secure. Too many browsers allow weak keys and chains of trust based on them that are insecure and broken.
The ACTUAL UNITED STATES FEDERAL GOVERNMENT states that any key under 2048 bits is considered insecure in SP-800-57-Part 1

I'm looking at:

Edit - History - Recent Changes - Search
Page last modified on April 15, 2016, at 02:12 PM PST