455
edits
CFA/Security-Notes: Difference between revisions
→References
m (→Pain Points) |
|||
| (19 intermediate revisions by the same user not shown) | |||
| Line 13: | Line 13: | ||
=== Malware Detection === | === Malware Detection === | ||
* Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites (IE) | * Prevent malware attacks | ||
* | ** Tell me if a download is suspected malware (FF3) | ||
* | ** Using virtual machine techniques (GreenBorder) | ||
* Extension installation - one click to permanently add site to whitelist (FF brainstorm) | ** Real-time with behavior-based profiling algorithms (Finjan SecureBrowsing FF extension, Haute Secure) | ||
* | ** Integrate sandboxing feature like Sandboxie; integrate virus scanning and malware protection for retrieved content/files (FF brainstorm) | ||
* | ** Protected Mode - runs in isolation from other applications in the OS. Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent (IE7) | ||
* Warn me when sites try to install add-ons (FF | ** Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites (IE) | ||
* Preventative options | |||
** Ability to disable handling and downloading of certain file types (FF brainstorm) | |||
** Extension installation - one click to permanently add site to whitelist (FF brainstorm) | |||
** Removes spyware (IE extension SpyWall Anti-Spyware) | |||
* Notifications | |||
** Notification whenever downloading or installing software (FF2) | |||
** Warn me when sites try to install add-ons (FF) | |||
=== Anti-Phishing === | === Anti-Phishing === | ||
* Highlight URL domain name in address bar (in FF3) | * Highlight URL domain name in address bar (in FF3) | ||
* Address bar protection - every window, including pop-ups, will show you an address bar (IE) | * Address bar protection - every window, including pop-ups, will show you an address bar (IE) | ||
* | * Ability to disable AJAX on certain sites; notify user if asynchronous calls are being made on user's behalf (FF brainstorm) | ||
* | * Tell me if the site I'm visiting is a suspected forgery (phishing), and offer to take user to search page to find the real website they were looking for (FF) | ||
** Check using a downloaded list of suspected sites | |||
** Check by asking Google about each site I visit | |||
* Phishing Protection (FF brainstorm) | |||
** Make it easier to report phishing sites | ** Make it easier to report phishing sites | ||
** Implement phishing filter that learns automatically; integrate w/ PhishTank | ** Implement phishing filter that learns automatically; integrate w/ PhishTank | ||
* Blacklisting | * Blacklisting of malicious websites (FF3) | ||
* Safe browsing whitelist | |||
* FirePhish - uses Open Phishing DB to provide user with info and tools to protect against phishing attacks (FF extension) | |||
*FirePhish - uses Open Phishing DB to provide user with info and tools to protect against phishing attacks (FF extension) | |||
** Blinking-red warning when entering high-risk phishing-suspected sites | ** Blinking-red warning when entering high-risk phishing-suspected sites | ||
** Green frame around location bar when entering sites on your safe list | ** Green frame around location bar when entering sites on your safe list | ||
* EV certificates (FF3) | |||
** Clear UI to indicate identity verified | |||
* Security status bar - color-coded notifications appear next to the address bar to notify user of website security and privacy settings. Address Bar turns green for websites bearing new High Assurance certificates (IE7, VeriSign EV Green Bar FF Extension) | |||
* International domain name anti-spoofing - notifies user when visually similar characters in the URL are not expressed in the same language (IE) | * International domain name anti-spoofing - notifies user when visually similar characters in the URL are not expressed in the same language (IE) | ||
* openID - decentralized single sign-on system that is possibly vulnerable to phishing attacks | * openID - decentralized single sign-on system that is possibly vulnerable to phishing attacks | ||
* Surf by IP protection (FF brainstorm) | * Surf by IP protection (FF brainstorm) | ||
** Disallow visiting sites by IP address (IP anywhere in URL) | ** Disallow visiting sites by IP address (IP anywhere in URL) | ||
| Line 79: | Line 87: | ||
* Use a master password (FF) | * Use a master password (FF) | ||
** Change master password | ** Change master password | ||
* Enhanced password manager (IE extension - 1-Click SignupShield Suite) | |||
** automatically fills out forms | |||
** generates unlimited number of encrypted, unique passwords and disposable email addresses | |||
* Browser handles password generation; single password (FF extension - Magic Password Generator, IE extension - Password Scrambler) | |||
** Uniquely scrambles your single password for every site you visit | |||
=== Warning Messages === | === Warning Messages === | ||
| Line 90: | Line 103: | ||
** I submit information that's not encrypted | ** I submit information that's not encrypted | ||
** I'm about to view an encrypted page that contains some unencrypted information | ** I'm about to view an encrypted page that contains some unencrypted information | ||
*** Lock icon is crossed out, and address bar turns red | |||
** Warn when sending form data by email (iCab) | ** Warn when sending form data by email (iCab) | ||
| Line 103: | Line 117: | ||
=== Other === | === Other === | ||
* Automated update - always checks to see if you're running the latest version, and notifies you when a security update is available (FF) | * Automated update - always checks to see if you're running the latest version, and notifies you when a security update is available (FF) | ||
* Word of mouth security | |||
** Social networks - 7 of your Facebook friends have purchased from this site | |||
** Personal sources - Your computer-savvy cousin says this site is safe | |||
** Online ratings - This site has 25 unresolved complaints according to BBB, and a reseller rating of 6.2 | |||
* Security history | |||
** You've been to this site before | |||
** Nothing has changed since the last time you were at this site | |||
** You're sending a password to a site that you've never visited | |||
* Page Security Scoring - use standard formula to calculate a score to provide consistent and trustworthy security context semantic to users | |||
* Browser Lock Down - remove security decisions from the user as much as possible; determine behavior based on configuration | |||
* Personally Identifiable Information Bar | |||
* Secure Remote Password Protocol | |||
* Watch for credit card numbers going out on the wire | |||
== Pain Points == | == Pain Points == | ||
| Line 137: | Line 165: | ||
* iTrustPage | * iTrustPage | ||
* YesScript - JavaScript blacklist | * YesScript - JavaScript blacklist | ||
* PwdHash - automatically generates per-site passwords, and the same password for each subdomain; prevents JavaScript from reading your password as it is typed | |||
=== | === Internet Explorer === | ||
==== Online Protection ==== | |||
* SpyWall Anti-Spyware - IE sandbox blocks attacks encountered while browsing the web; detects and removes spyware (not free) | |||
* 1-Click SignupShield Suite - enhanced password manager; protects against phishing fraud and automatically fills out forms; generates unlimited number of unique passwords and disposable Email addresses for signing up to Web sites. It fills sign-up forms and encrypts passwords and Email addresses for later use during sign-in. When you need to sign-in to a Web site, SignupShield automatically retrieves the correct e-mail address and password and fills in the sign-in form for you (not free) | |||
* McAfee SiteAdvisor for IE - protects from spyware, adware, spam, viruses, browser exploits, and online scams. SiteAdvisor has safety ratings. | |||
* Password Scrambler - automatically present unique passwords to the sites you visit, generated from a unique master password you choose. It achieves this by uniquely scrambling your password for every site you visit, so every site gets a unique, secure and hard-to-guess password, while you only remember one. | |||
==== Parental Controls ==== | |||
==== Pop-up Blockers ==== | |||
==== Privacy ==== | |||
== Web services/apps to investigate == | == Web services/apps to investigate == | ||
| Line 152: | Line 189: | ||
= References = | = References = | ||
* [http://www.microsoft.com/downloads/details.aspx?FamilyId=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en Internet Explorer 7 Desktop Security Guide] | |||