CNS Navigation Bar
 
 

Browser Security

Back to UTORProtect Page

Did you know that your browser could be a security and privacy risk? You have probably heard of the various problems associated with web browsers. Browser security and privacy holes are many and range from cookies, java applets, JavaScript, ActiveX controls and just plain software bugs. These guidelines cover various Web browser security and privacy concerns in general and provide you with information that will enable you to choose how much protection you want to have when accessing the Internet with your browser.

Bullett About Cookies
Bullett Controlling Cookies
Bullett Security Issues Related to Java, JavaScript, and ActiveX
Bullett Making your Browser More Secure
Bullett Internet Explorer
Bullett Netscape
Bullett Terminating Sessions
Bullett Malicious Code
Bullett Confidential Information


About Cookies

A cookie is a small text file that is set by a web site and stored on your hard drive. The contents of the file is under the control of the web site and may contain information about you and/or your past and present surfing habits. You supply most of the information that a cookie gets about you. When you fill out a form that asks for your name and email address for example, that information may be stored in a cookie for future use. This is not necessarily a bad thing however. Cookies are most often used to customize your browser or for personalizing content delivery. In other words, if you go to www.yahoo.com and you choose to "Personalize" the page so that it shows your local weather and news, stock quotes, and entertainment, that information is stored in a cookie so that when you go back to the page all of your personalized settings are displayed for you. Cookies are sometimes used to track your browsing habits such as what sites you visited before and what sites you went to after the site that issued the cookie. This is often used for gathering statistics about the popularity of the site, market research and targeted advertising. A Web site can look at the cookie (only the site that issued the cookie can get access to this information) to see where you have been and where you are going so that the site can customize the banner ads that are displayed on your browser. You might notice when you go to a search engine like Yahoo or HotBot and type in a query, the banner ads that appear after you submit the search seem to be relevant to your search.

Back

Controlling Cookies

But what if you don't want any information about you to be collected by a web site? There are several ways to prevent cookies from being generated. The easiest way is to disable cookies in your browser options. By default, Internet Explorer and Netscape Navigator accept all cookies. However, you can set your browser to reject all cookies or accept only certain cookies.

To change Cookie settings in your favourite browser, follow the instructions below.

Internet Explorer

Click Tools from the menu. On the Tools click Internet Options. On the Security tab, choose Custom Level.

The Security Setting window is displayed.

From here you can select Enable, which is the default, Disable, which will reject all cookies, or Prompt, which will prompt you whenever a cookie is about to be set.

You should use the Prompt option with caution however since you may end up spending a lot of time rejecting/ accepting cookies!

Netscape

Setting up cookies in Netscape is a bit different than in Internet Explorer.

Click on Edit from the Netscape menu and then choose Preferences. Once the Preferences window pops up, click on Advance to change the preferences that affect Netscape. There is a section dedicated to cookies and you can pick one of the four choices available to you.

Netscape offers one more option than Internet Explorer, Accept only cookies that get sent back to the originating server. This ensures that only the site that you are currently visiting will get the cookie data, and not some other third party, thus preserving some of your privacy.

Caution:

Keep in mind that if you disable cookies, you cannot save any custom settings on any Web site. Also, some Web sites won't work at all without cookies being enabled on your browser. For example, many sites that require you to login before accessing certain pages use cookies to enable the authentication process.

In terms of security, cookies are the least that you have to worry about. The more serious security problems are related to the use of Java, JavaScript, and ActiveX controls.

Back

Security Issues Related to Java, JavaScipt & ActiveX

Java, JavaScript, and ActiveX controls are used by many sites to provide visitors with a more interactive experience. However, these controls pose one of the biggest risks to browser security. The reason is that Java and ActiveX are actually executable code that you download and run on your local computer. JavaScript is a scripting language that gets downloaded with an html page from a Web site.

ActiveX can be more dangerous than Java or JavaScript. The reason is that ActiveX can actually make system calls that can affect the files on your hard drive. With ActiveX controls, files can be created or overwritten and replaced with other files. Imagine the damage that could be done if your autoexec.bat were replaced with a different version. Many of the hostile ActiveX controls have been effectively blocked in Internet Explorer 5.01 and later versions.

Although JavaScript can be less destructive than Java or ActiveX, it can still pose some problems. It is relatively easy to create a local denial of service attack using JavaScript. Known security exploits of these controls have been fixed by Netscape and Microsoft. The important thing is to make sure that you have applied all security patches released by the vendors of the browser you are using. This holds true for any software you run on your computer whether it is a browser, or Microsoft Excel or Power Point.

You should check for security patches on vendor sites to make sure that your software is up to date.

For Netscape, visit the "Current" Security Notes page at http://home.netscape.com/security/notes/index.html and the "Previous" Security Notes page at http://home.netscape.com/security/notes/previous/index.html.

For, Internet Explorer, go to the security updates page at http://www.microsoft.com/windows/ie/download/default.htm.

Back

Making Your Browser More Secure

You can protect yourself from ActiveX, Java, and JavaScript problems though. It is easily done with either Internet Explorer or Netscape Navigator.

Back

Internet Explorer

Internet Explorer makes it easy for you to set the security level that you wish to use. You do this by going to the Tools menu and choosing Options. From the Options window select the Security tab. A window will pop up and will list the four content zones for which you can specify security settings. Each zone can be set to one of four security settings.

To set the security settings for a particular zone, highlight the zone. Then choose the Default Level for that zone or customize the security settings.

The default setting for the Internet Zone is Medium. This setting gives you the most browser functionality while still prompting you about possible unsafe content. The Medium setting disallows all unsigned ActiveX controls. Medium Low will give you the same functionality but you will not be prompted before content is downloaded. The Low setting allows all content to come through and gives you no security at all. High blocks everything - cookies, ActiveX, and Java - but your browser functionality will suffer as a result.

Keep in mind that some sites will not work without Java or JavaScript being enabled. It's all a matter of balance and need.

If you wish, instead of using the slider to set your browser security, you can customize the settings for a particular zone yourself. By clicking on the Custom level… button, you can set up your own custom level of security. For example, you can set the zone level to High but enable cookies manually so that you don't lose whatever custom settings you may have for certain sites.

You can also specify the actual sites that fall into the Local Intranet, Trusted Sites and Restricted sites zones. The example to the left shows the University of Toronto home page and the Computer Security Administration page as Trusted sites.

For sites in the Trusted Sites zone, you may also choose to require server certificate verification for all sites included in the zone. However, this is an all or none option. If you are going to include sites that do not require server certificate verification, then do not check off the Require server certification (https:) for all sites in this zone option.

Back

Netscape

Netscape's security settings are a little easier to set up, but you have far fewer options to choose from. To set up Netscape's security go to the Edit menu and choose Preferences. Click on Advanced in the left frame and you will be presented with a list of security options in the right frame. The only available options for ActiveX, Java, and JavaScript are enable or disable. There is no option for prompting. The prompt option is only available for cookies.

The default in Netscape is to accept all Java, JavaScript, and cookies. You have no option to accept or reject ActiveX, but since Netscape does not support ActiveX, you don't have to worry about it.

The default security setting for Netscape Navigator is Low. Changing the setting is easy. With Netscape you don't have the level of customization that Internet Explorer allows.

When you enter a secure site, in other words, a site that sends your information in encrypted form, both Internet Explorer and Netscape navigator give you a visual indicator that the site is in fact secure. With IE you will see a little closed padlock in the lower right hand corner of the browser window. In Netscape a similar padlock can be seen in the lower left hand corner of the browser. It is important that you verify that a site is secure before you send any information of a confidential nature over the Internet. Never send credit card information or any other confidential information unless the site offers encryption to protect the information.

Browser security has come a long way in the last few years. They have gone from being extremely insecure applications to applications that offer customizable security. But as long as there are "hackers" out there, new security holes will be found and exploited. Remember, always practice save surfing!

Back

Terminating Sessions

When you access a web site, your browser saves page images in cache. Cache is used by the browser to store images of pages you have visited. Web browsers do this in order to speed up access. Web browser also maintains a history of sites you have visited. If you do not clear the cache and history files, anyone can view the information you have accessed simply by using the back button on the browser.

Browsers have facilities that let you clean the cache and history lists.

Netscape History and Cache Cleanup

In Netscape, click on Edit and choose Preferences. Choose Navigator from the left frame. You can specify when pages in the history list expire be entering the number of days. You can also clear the history list by clicking on Clear History.

Browsers use two types of cache: Memory Cache and Disk Cache. You can clear Memory and Disk cache in order to ensure that no one else who has access to your computer can view information that you have accessed using the browser. To clear cache, click on Edit and choose Preferences. Choose Advance from the left frame and expand the list by clicking on the plus sign. Then click on Cache. To clear cache, click on Clear Memory Cache and Clear Disk Cache.

Internet Explorer History and Cache Cleanup

On the Tools menu in Internet Explorer, click Internet Options. On the General tab, click Settings. To delete temporary Internet files (cache) click Delete Files. To clear history, click Clear History. To clear Temporary Internet Files, click Delete Files and when the Delete Files window is displayed, click OK.

Back

Malicious Code

With the number of computer viruses and worms increasing on a daily basis, it is important that you have a virus-scanning program running on your computer. It is also important to make sure that the program is updated regularly so that it is able to detect new viruses and other malicious code. A few things to keep in mind:

  • Be careful of e-mail attachments since many viruses and worms are spread as e-mail attachments. If you are not certain of the contents and source of any attached files, you're better off to just delete the message.
  • Make sure that you update your virus-scanning program regularly. If you don't, you risk getting your computer infected and spreading viruses to colleagues. An out-of-date virus program can give you a false sense of security.
  • If your virus-scanning program has an active monitoring feature, make sure that it is turned on.
  • If your computer does become infected, contact your network administrator.

Back

Confidential Information

When using the Internet to view and transmit confidential information, make sure that you have a "secure" connection to the site you're visiting. When you are finished, clear the Cache and History files right away.

Back

 

Divider
All contents copyright © University of Toronto 2000-2003
This Site is maintained by the Computer Security Administration Group
Comments & Questions