S 5.93 Security issues relating to the use of web browsers by Internet PCs
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
The World Wide Web (Web) is certainly one of the most important services available on the Internet. Besides the wealth of information it provides, it also serves as a platform for interactive services, such as e-business and e-government. Internet PCs therefore usually require a browser, i.e. a client program for using the Web services. Popular Web browsers include e.g. Firefox, Microsoft Internet Explorer and Opera, Google Chrome and Safari.
Browser technology has developed at a rapid pace. Having moved on from their original function of loading and displaying text and images from the Internet, Web browsers have evolved into universal front ends for network-based applications. Browsers can handle a wide range of different media formats and also act as a platform for running programs and scripts - so-called active content. The latter includes the Java, Javascript and ActiveX technologies. The functional range of modern browsers can be further extended with so-called plug-ins.
This wide range of functions entails complex configuration options and potential security problems. Due account should be taken of the following recommendations for configuring browsers used on Internet PCs in the interests of maintaining IT security.
Installation
The basic recommendation to restrict installation to those software components which are required applies especially to Web browsers and to the numerous plug-ins available. Most plug-ins are designed to display or play specific media formats, e.g. videos or radio programmes. There is a fundamental risk that design or implementation faults in the plug-ins will trigger unwanted actions when certain websites are called up, e.g. manipulation or compromise of local data. Only those plug-ins which are actually needed for routine work should therefore be installed.
Not only have software vulnerabilities been known to exist in plug-ins, but in many cases in browsers, too. These vulnerabilities can be exploited to circumvent security mechanisms or to cause other damage. Browser manufacturers therefore frequently publish patches, updates or instructions for eliminating these security gaps. Therefore, administrators should regularly consult the website of the relevant browser manufacturers to read up on newly discovered security gaps and should install any relevant patches or updates provided (see also S 2.35 Obtaining information on security weaknesses of the system).
A further problem is posed by external programs being called from the browser. Most browsers allow files to be opened or run with the relevant application program immediately after download. Downloaded files often stem from unknown sources. Consequently, there is a risk that undesired actions will be triggered when a file is opened or run. Potential dangers include buffer overflows in the application programs or harmful macros embedded in the files. Therefore, to minimise this risk as few application programs as possible should be installed on an Internet PC. Wherever possible, file viewers which do not support macros should be used for viewing certain formats, e.g. Word or Excel files.
All installed software components, e.g. plug-ins, patches, updates and viewers, should be obtained from trusted sources only, such as directly from the manufacturer or from official mirror sites.
Configuration
The Web browsers in prevalent use have complex configuration options. Many options have implications for the secure operation of the browser and therefore also for the IT security of the Internet PC. After standard installation, the browser settings do not normally meet the security requirements. Systematic checks should therefore be made on the individual configuration settings and changes made where necessary on the basis of the specifications in the policy governing usage and the guidelines for Internet PCs (see safeguards S 2.234 The design of Internet PCs and S 2.235 Guidelines for the use of Internet PCs). The following configuration recommendations should be taken into consideration:
If the Internet service provider (ISP) offers a proxy server, this offer should be utilised. To this end, the IP address and the port number of the proxy server need to be entered in the browser. With some browsers, this information needs to be entered separately for each service supported. Proxy servers usually support HTTP, HTTPS and FTP as a bare minimum. The required IP addresses and port numbers can be obtained from the ISP, either in the information provided or by asking the ISP.
The term active content refers to computer programs which are contained in Web pages or are loaded automatically while a Web page is being viewed. These programs are run on the Internet user's computer, either by the Web browser or the underlying operating system. Major examples of active content include Javascript, Java and ActiveX technologies. As with every computer program, there is a risk with active content that the program code will exceed the scope of what is expedient and will perform undesired or even detrimental operations. Active content may, for example, carry viruses or include Trojan horses.
Browsers do have some security functions to protect against damaging active content, but many software vulnerabilities have come to light in the past and these can be exploited to undermine these security functions (see also S 5.69 Protection against active content).
The browsers in prevalent use allow users to specify how active content will be handled. For the above reasons, the execution of active content should only be enabled in the browser if this is specifically stated in the concept of use or in the guidelines for Internet PCs. In this case, only the technologies required for daily work should be enabled, e.g. JavaScript.
Some browsers provide the option of saving personal information or passwords to allow them to be automatically entered in Web forms or sent to the Web server as authentication data, so as to save users from having to enter the information each time. Internet Explorer offers this option, e.g. under the AutoComplete function. This function should not be enabled, as it could allow passwords and personal information or information about the government agency or or company to be passed on unintentionally.
Some browsers can also transmit user names and passwords automatically for logging on to FTP servers. In order to prevent passwords from being sent unintentionally to third parties, the browser should be configured so that FTP logins are anonymous by default.
Some browser configurations allow the user to choose whether downloaded files should be opened or saved automatically, or whether to be asked to confirm which action should be taken. This option should be set to Save or Confirm in order to prevent files from being opened or run accidentally.
So-called cookies can be used by Web servers to store data on the Internet PC and read them later on. This function is often used for virtual shopping baskets in Internet shops. In terms of IT security, cookies do not generally present a problem. However, it may be advisable to disable the storage of cookies for data protection reasons, because they can be used to generate profiles of user behaviour. The browsers in prevalent use can also be configured to prompt the user when a Web server tries to send a cookie. Depending on the Web services typically used, the user may receive numerous prompts, each of which have to be confirmed and interrupt the flow of work. Therefore, a decision based on the use of the Internet PC in any specific case has to be taken as to how cookies are to be handled.
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols which can be used to protect communication between Web servers and Web browsers through encryption. SSL or TLS should always be used if available on the server.
This is especially important when transmitting personal data, e.g. when e-mails are being picked up from the server.
Certificates can be used for authenticating communication partners, although in practice only SSL certificates are usually issued for Web servers.
If additional client authentication is required, it is usually provided by other means, e.g. with user names and passwords (see also S 5.66 Use of TLS/SSL).
Browser software can usually verify the authenticity of an SSL certificate on the basis of the digital signature of a certification body. The certificates of some established certification bodies are supplied with those browsers in prevalent use. However, some server operators make use of other certification bodies. Therefore, the authenticity of the SSL certificate cannot be verified directly. If frequent access is needed to a Web server to which this applies, the certificate of the corresponding certification body should, if available, be imported into the browser. To ensure the authenticity of this certificate, its fingerprint should be verified prior to import by independent means, e.g. by fax, telephone or e-mail. Only then can users be sure that the server really does belong to the relevant operator.
As a general principle, only those functions which are necessary for performing the work for which the Internet PC is intended should be enabled in order to minimise potential attacks and Web browser misuse.
Operation
Data and programs should be obtained from trusted sources to the greatest possible extent, e.g. the website of the manufacturer, the publisher of the information, or an official mirror site. Files and programs from the Internet should be checked for computer viruses if the format in question could be infected. Therefore, files and programs should not be run or opened automatically from the browser after download, but should first be saved to disk.
As already mentioned, cookies can be used to generate profiles of user behaviour. If the browser has been set to receive cookies, they should be regularly deleted. This can be done either from the browser or by deleting the file to which the cookies are saved. A variety of shareware tools are available on the Internet for managing saved cookies.
The cache of a browser is used to store Web pages temporarily on the PC so that they need not be downloaded from the Internet again if accessed again by the user. This reduces the time needed to load Web pages. Internet shopping in particular often requires the transfer of confidential information, e.g. credit card numbers. This information is stored in the browser's cache in some cases.
This entails the risk that this information could be read from the cache without authorisation and misused. If access to the Internet PC is not protected effectively, the browser cache should be cleared after the transfer of confidential information. Alternatively, the cache function can be disabled completely in the browser's configuration settings.
Review questions:
- Is installation of browsers restricted to those software components - especially plug-ins - which are required?
- Are the browser updates and patches provided by the manufacturer installed regularly and promptly?
- Has it been ensured that software components of the browser, such as plug-ins, patches, updates, viewers, are obtained from trusted sources only?
- Is the execution of active content only allowed in the browser if this is specifically stated in the concept of use or in the guidelines for Internet PCs?
- Has it been ensured that functions to save user data or passwords for Web forms are not used?
- Has it been ensured that downloaded files are not opened automatically?
- Are downloaded files checked with a virus protection program before they are opened or run?