455
edits
CFA/Security-Notes: Difference between revisions
→General capabilities
| Line 11: | Line 11: | ||
= Research = | = Research = | ||
== General capabilities == | == General capabilities == | ||
=== Malware Detection === | |||
* Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites (IE) | |||
* Downloads - if a webpage uses script to try to pop up a download box and force you to deal with it, IE intercepts the script and displays a prompt in the Information Bar instead (IE screenshot) | |||
* Protection from Spyware - notification whenever downloading or installing software (FF2) | |||
* Download actions - ability to disable handling and downloading of certain file types (FF brainstorm) | |||
* Extension installation - one click to permanently add site to whitelist (FF brainstorm) | |||
* Virus/Malware protection - integrate sandboxing feature like Sandboxie; integrate virus scanning and malware protection for retrieved content/files (FF brainstorm) | |||
* Protected Mode - runs in isolation from other applications in the OS. Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent (IE7) | |||
* Warn me when sites try to install add-ons (FF) | |||
=== Anti-Phishing === | |||
* Highlight URL domain name in address bar (in FF3) | |||
* Address bar protection - every window, including pop-ups, will show you an address bar (IE) | |||
* AJAX - ability to disable AJAX on certain sites; notify user if asynchronous calls are being made on user's behalf (FF brainstorm) | |||
* Phishing Protection - warn users of suspected forgery (phishing) sites, and offer to take user to search page to find the real webiste they were looking for | |||
** Make it easier to report phishing sites | |||
** Implement phishing filter that learns automatically; integrate w/ PhishTank | |||
* Blacklisting | |||
* Whitelisting | |||
* Security status bar - color-coded notifications appear next to the address bar to notify user of website security and privacy settings. Address Bar turns green for websites bearing new High Assurance certificates (IE) | |||
* International domain name anti-spoofing - notifies user when visually similar characters in the URL are not expressed in the same language (IE) | |||
* openID - decentralized single sign-on system that is possibly vulnerable to phishing attacks | |||
* Tell me if the site I'm visiting is a suspected forgery (FF) | |||
** Check using a downloaded list of suspected sites | |||
** Check by asking Google about each site I visit | |||
* Surf by IP protection (FF brainstorm) | |||
** Disallow visiting sites by IP address (IP anywhere in URL) | |||
** Allow local LAN IPs | |||
=== Other === | |||
==== Content Enabling ==== | |||
* Script execution - NoScript extension; integrate script execution whitelisting (FF brainstorm) | |||
* Enable plug-ins (Safari) | |||
** Block flash animations (Camino) | |||
* Load images automatically (FF) | |||
* Enable Java (FF) | |||
** Click to run applets (Omniweb) | |||
* Enable JavaScript (FF) | |||
** Allow scripts to: (FF) | |||
*** Move or resize existing windows | |||
*** Raise or lower windows | |||
*** Disable or replace context menus | |||
*** Hide the status bar | |||
*** Change status bar text | |||
*** Reorder windows (OmniWeb) | |||
* Block pop-up windows (FF) | |||
* Block web advertising (Camino) | |||
==== Cookies ==== | |||
* Accepting cookies (FF) | |||
** Exceptions (FF) | |||
** Show cookies/cookie manager (FF) | |||
** Discard when quitting (FF) | |||
** Only from the current site (OmniWeb) | |||
==== Passwords ==== | |||
* Remember passwords for sites (FF) | |||
** Exceptions | |||
** Show passwords | |||
* Use a master password (FF) | |||
** Change master password | |||
==== Warning Messages ==== | |||
* Secure Defaults/No Security Pop-ups - remove security pop-ups because users are trained to click on the default button to complete their task. Use secure defaults instead, and only provide notifications at the top of the browser (FF brainstorm) | |||
* Fix my settings - instantly reset internet security settings to "medium-high" default by clicking option in Information Bar. The browser warns user with Information Bar when current security settings may put you at risk. The bar continues to remind you as long as settings remain unsafe. Internet Control Panel highlights critical items in red when they are unsafely configured. (IE7) | |||
* Bookmarklets - warn users when attempting to bookmark javascript code (FF brainstorm) | |||
* Show a warning dialog when (FF) | |||
** I am about to view an encrypted page. | |||
** I am about to view a page that uses low-grade encryption | |||
** I leave an encrypted page for one that isn't encrypted | |||
** I submit information that's not encrypted | |||
** I'm about to view an encrypted page that contains some unencrypted information | |||
** Warn when sending form data by email (iCab) | |||
** Moving from a secure to an insecure page (Camino) | |||
==== Encryption (Protocols and Certificates) ==== | |||
* Lock icon - provides detailed information about the site's security certificate (in FF) | |||
* Digital signature information - provides more information about the publisher of a program and whether the program is digitally signed (IE Screenshot) | |||
* Use SSL 3.0 Protocol (FF) | |||
* Use SSL 2.0 Protocol (Flock) | |||
* Use TLS 1.1 Protocol (Opera) | |||
* Use TLS 1.0 Protocol (FF) | |||
* Certificate options (FF) | |||
== NOTES == | |||
=== Information Provided === | === Information Provided === | ||
* page info (click on lock) | * page info (click on lock) | ||