Addons Enabled - Are You Crazy? 15
This month has seen lots of behind the scenes changes here. Most will not be seen by casual visitors. Anyway, I was going through the web analytics and noticed this section concerning the different plugins that are enabled in a browser when they visit here.
78.1% Flash Support 68.8% Java support 61.8% Quicktime audio playing support 58.4% Windows Media audio playing support 49.0% PDF support 09.6% Real audio playing support 09.2% Macromedia Director Support 08.6% Javascript disabled
What are you thinking?
Do you know me personally? When you visit here, you are trusting that I won’t try anything funny. I hate to say this, but you shouldn’t trust me.
If you don’t trust me, why would you visit here with Flash, Java, Quicktime, *or PDF enabled in your browser?*
High Risk Behaviors
PDF, Java and Flash are currently the top 3 ways that your computer can become infected with a virus or worse. Do yourself a favor and don’t have them enabled in your browser.
Javascript Disabled – YES!
For the 8.6% of visitors with Javascript disabled – a golf clap to you. That’s how I surf too. Highly recommended. NoScript is the extension that allows this sometimes-on, sometimes-off capability.
What are these other plugins?
Quicktime, Real audio, and Macromedia Director? Huh? Do people actually use those?
- RealPlayer has been thought to violate end-user privacy.
- Macromedia Director – that is still used by anyone? I guess elementary schools and governments might still use it for CBT. I’ve never seen it in any company that I’ve worked the last decade.
- Quicktime is like a virus, if you ask me. I suppose all those people with Quicktime are really just people with iTunes installed? I suppose that iTunes doesn’t work without Quicktime installed. Oh well.
Disable and Remove them – at least from your Browser
Your web browser is on the front-lines in the war to keep your PC safe. Every browser add-on that is enabled is like breaking another bone on your little warrior just before sending him into battle against the enemy.
Sure, you might need to view PDF files, but not in your browser. Save them to your HDD and open them locally.
Very few people actually need Java enabled in their browsers. Do you really run java applets from websites? Probably not. There might be 5 websites that you visit in a year that want to run a java applet. It is really dangerous. Mozilla (the Firefox guys) are thinking about disabling Java support in their browser over security concerns. Knowing this, do you really think that having it enabled by default is a good idea? Almost 70% of you have java enabled.
You woudn’t believe it, but there are actually people who trust you, and have whitelisted you in NoScript ;-)
I try to not enable javascript on any sites except where it is mandatory from a usability standpoint.
I don’t think that javascript is needed for anything here. Sure, it is used by the blog engine and by the web analytics engine (Don’t worry, it is internal and not google’s) that I use. Just blocked JS on this site and entered this comment. It seems to work just fine.
Is there any other reason to allow javascript on this blog?
I don’t think so.
It isn’t just that I can or cannot be trusted, the issue is whether this cluster of servers can be hacked or not. I don’t know of any set of servers that cannot be hacked, including mine, if an attacker has sufficient resources.
On the internet, being paranoid makes good sense.
I follow the exact policy you described in your first sentence. So I whitelisted you in NoScript for a reason. As far as I can remember it was something with the comment mechanism. If it works now (completely?) without javascript, maybe this was different at some point in the past?
You included NoScript on the Javascript section (and I’m sure you already know this) but in case anyone else is reading, I’d like to point out that NoScript also blocks Java, Flash, Silverlight, and “other plugins.”
I use both NoScript and Flashblock. It’s nice to have something that’ll still block flash with a slow connection if I’ve whitelisted the site in NoScript.
Also, it looks like I can’t “Preview!” my comment without allowing your site in NoScript. Maybe that’s why fireshadow allowed whitelisted this site on NoScript a while back.
Brian Krebs came out with another Don’t Use Java article.
Top Programs / Plugins that you should not install in your browser
Obviously, if you make money with these tools, that is completely different, but these are the top 3 methods used to crack into systems now. Be careful.
If you must have them loaded for work, then please limit which websites can access those plugins. The easiest way that I know to accomplish this is with NoScript , a firefox plugin.
Out of interest, if I set up a VM with a browser that has these plugins installed, will that protect my base system from getting infected?
I.e. will any problems be contained within the VM, or does this not provide any protection?
As an aside, I do like the Chrome ‘click to play’ setting for all plugins. Do you think that this provides adequate protection?
@Mk: Is running a browser inside a VM more secure than running it in the main OS? Probably. There are attack methods to break out of a VM and access the hostOS. These are guestOS, virtualization and hostOS dependent. They definitely exist.
Safer?
I believed that running in a VM is safer , but that VM is probably still on your local LAN, so once infected, it can infect other systems on the same subnet or internet.
Using a VM is not a license to surf without care. You are still at risk. What happens if a keyboard logger infects the hostOS somehow? Now all your VMs are impacted if you use local access.
I don’t use Chrome. Giving access to all all browsing to the largest advertising company in the world seems like a really bad idea. Chromium is the F/LOSS version of Chrome. I guess there are other differences.
What I Do
I use a tiny Linux VM just for online banking. It runs Chromium. I only visit my company bank and my personal bank with that OS+browser.
There is no 100% certain way to protect yourself regardless of OS. Of course, some OSes are bigger targets than others.
Ok, that all makes sense. Thanks for the advice. I was actually thinking of switching to Chromium purely because it is F/LOSS. The main advantage of Chrome for me is the auto updating, as I figured the quicker it is updated, the more secure it should keep me. Perhaps not necessarily correct..
Very interesting idea to have a separate VM for banking. I may well consider that.
Thanks!
Chromium updates are managed by the package manager on Linux. No extra work at all besides the normal OS-wide apt-get update process.
If you are using Windows – well, you have bigger issues, IMHO. I don’t allow MS-Windows to surf the internet without
Basically, MS-Windows isn’t safe on the internet AT ALL.
Sometimes I’m forced to use Windows on the internet, but that is for specific needs only. Never for general purpose websites.
Sure, there are probably other Windows apps that need updates, and sure, I get lazy just like everyone else and pull them down in-app. Since most of my computer use is under Linux, I feel safer getting files there, dropping them on a network drive, then manually running antivirus scans (AV only looks for Windows viruses anyway), then copying over to the Windows box for installation/use.
The manual AV scan step is necessary.
I used to believe that Windows with AV protection was sufficient, then an older family member got infected. I’m positive she wasn’t visiting any known-bad-websites and had current patches for the OS and browser. She’s been on Linux over a year now and loves it.
For any lurkers, creating a Linux VM and using that for your general purpose browsing needs is pretty easy. To keep it easy and tiny, use TinyCore Linux or PuppyLinux for the VM, only boot from the ISO file (no need to install) and be certain to use NAT networking for the VM.
" If you are using Windows – well, you have bigger issues, IMHO" – haha!
Well I am currently on Windows – but planning on trying to live in Ubuntu for a while through a VM before making the switch. More than for security, it is really so that I can learn a little more about how linux works and to get a better understanding of computer basics. But the security is definitely a bonus.
Out of interest, do you use any anti-virus/malware protection in Linux? I know that the threat is much smaller – but surely there is still a threat?
If you want to learn Linux, Ubuntu isn’t the best way – especially the current Ubuntu desktop releases. I wrote another article about Learning Linux. Hope it helps. Obviously, just my opinions.
I don’t use AV under Linux on my main system. AV programs check for MS-Windows viruses. What good is that? I do run AV on the file server, but it has never found anything. With Linux, you don’t use an administrative level account very often, so any virus can only impact your single user, not the entire system. This is based on file permissions techniques that have been part of every UNIX system since 1980.
I’ve never had a virus under Linux, though I have had 2 hack/worm attacks get in. The last known success was 2002, but no damage was actually caused and I didn’t even wipe the system and start over thanks to a system backup that proved exactly which files had been touched. I didn’t even reboot. When I realized what was happening, I simply unplugged that machine from the internal network and started my research. The attacker never got root, so they were stuck using a special purpose userid that didn’t have any permissions on the file system. They could only write files under /tmp to launch further attack attempts. However, they could easily run a remote attack against others with that access. Not good.
The first attack really shouldn’t count. I was a complete noob and on a government network. This was before anyone really used firewalls and NAT had not been invented. Every computer on the network including dial-up connections had a public internet IP.
Thanks again for putting up with my basic questions!
I have found that article, but thought I would start with the basics first – see how I get on with the software alternatives, etc and then if I am happy with the basics, delve a little deeper..
Sorry, but 1 more – what is the best way for a beginner to know if they have been compromised? Did you find it by checking log files? Because I guess that most lazier users (i.e. me) would never remember to do that regularly.
Sometimes there is no way to know you’ve been compromised and other times the system will scream at you.
It comes down to monitoring for unusual behavior. That can come in many different forms – programs not doing what you expect, huge amounts of bandwidth used, higher than normal CPU or RAM usage, or thousands of email messages sent out. Your system may send emails screaming that someone is trying to gain root access (that’s what happened to me) or that your account has been deleted – you don’t exist, go away. I’ve seen that too.
Or it could be only the system logs show issues, so if you don’t monitor the logs, you’ll never know about a break-in. There are tools like logwatch and fail2ban that should help notify and prevent many of these problems, but there is no 100% certain way.
How do you know with Windows? Even if the AV program claims to have cleaned your system, how are you certain? I’m never certain on Windows after any virus and reinstall the OS from DVD.
With Linux, I can compare the currently running files on disk against my backups … yesterday, last week, last month. If something changed, I should remember it or be able to force a refresh of the package from the distro repository, right?
Thanks again for all the info! I guess on Windows, I just use malware scanners occasionally and rely on AV to let me know of any problems. Beyond that, I don’t investigate much. Which is why without both of these, I wondered what was best in Linux.
I will look into logwatch and I have seen fail2ban recommended on here already, so was planning on trying it.
Thanks again for your time!
John you used Java and Javascript interchangeably. If one disables the Java (JRE under advanced options) does that disable javascripts as well such as Web analytics codes?