Browser URL Bar

Browser Hardening: What, Why & How.

What It Is?

‘Browser hardening’ refers to ways in which we can tweak our web browser’s configuration, with the goal of enhancing its security and privacy.

What It Involves?

A great starting point is exploring your browser’s settings page and making some adjustments. This can be taken further by installing and configuring plug-ins. More advanced options exist ‘under the hood’ of most browsers, for example Firefox’s about:config page. I will explain some changes that can be made in each of these categories.

Relevance?

I believe the concept of browser hardening is an area which should be receiving extra attention, regarding the increased number of people working from home due to coronavirus. Employees may find themselves using hastily provisioned company laptops that may not have been optimally configured for security, due to time restraints.

The Problem?

The slew of different technologies available on the web inherently require a browser to be versatile. This leads to its configuration being quite ‘open’ and ‘loose’, allowing most things to ‘just work’ for the greatest number of people. For a home browser, this may be less of a problem, as you are visiting a great variety of random websites. In enterprise however, there will be a smaller number of websites accessed, perhaps not justifying such an open configuration. The concept of least privilege should apply here. Adding or turning on features only if needed, instead of having everything on by default.

Browser Type

Artist rendition of Firefox's logo. The upcoming tweaks can be applied to most modern web browsers, but not all. I recommend Firefox as I believe it is vastly more privacy focussed than Chrome. Firefox is completely open source and developed by Mozilla, a non-profit organisation. In contrast with Google’s Chrome, which is proprietary and has rich data collection rooted in the core of its business model.

Privacy

The goal is to limit the amount of unnecessary information being sent to 3rd parties. Most of this information will be metadata, e.g. IP addresses visited and HTTP referrers. Although metadata does not contain the content of what you are viewing, it can still be quite revealing, particularly when aggregated and correlated.

Remember, you do not need to secure what you do not disclose.

The Tweaks

Settings Page

  • Always ask where to save files

Broswer settings page, showing how to change download options.

Can help prevent some drive-by download attacks. An attack surfaced in 2017 whereby a user visiting a website may have a file automatically downloaded [1]. Without the browser prompting the user where to store the file, the user may be unaware of this activity. The attack utilised .scf (shell command file) files, which are used to fetch a program’s icon for display in Windows Explorer. Instead of pointing to a local resource, the attack makes a remote request to the IP of a SMB server. The SMB server thinks the user is trying to authenticate, so requests and receives the user’s Windows password hash.

  • Change the default search engine

Using any of Google’s products submits a wealth of metadata to them, such as: operating system, IP address, search terms, location and browsing history to name but a few. This is especially true using the Chrome browser whilst signed in. Surely this is information best kept private. An alternative search engine such as DuckDuckGo greatly reduces the amount of information disclosure, whilst maintaining an acceptable quality of search results for general browsing.

Installing Plug-ins

  • uBlock Origin

Blocks adverts, pop-ups, trackers and remote fonts.

‘Malvertising’ is a method of delivering malware via a user’s interaction with a malicious advert. uBlock helps by blocking adverts, thus reducing the risk of a user interacting with any malicious adverts. Invisible tracking scripts, pixel trackers, 3rd party cookies and fingerprinters are all means of obtaining, often sensitive, information about the device you are using and your browsing activity. This is then sent back to a 3rd party to who you did not consent to obtain this information.

Preventing these trackers, scripts, and adverts from loading is not only beneficial for security and privacy, it reduces the bandwidth needed to serve pages. For example, browsing to https://www.cnn.com/ without uBlock Origin installed, shows 12MB of data being downloaded with 255 connection requests being made to numerous advertisement delivery platforms and 3rd parties. With uBlock turned on, these figures are cut to 6MB and 90 requests.

The use of plug-ins is a balancing act as the more plug-ins you install in your browser, the more unique it becomes online. This enables more effective fingerprinting. A good website to test this is https://panopticlick.eff.org/ .

Under the Hood

More advanced browser hardening techniques exist at the about:config tab in  Firefox. Adjusting the following parameters and values as below:

  • Geo.enabled = false

Browser pop-up, asking the user to allow Location Access

If clicking ‘Allow Location Access’, Firefox uses Google’s Location Services service to determine your location. To do so, the following information is sent to Google, as per their privacy policy:

  • Wi-Fi routers closest to you
  • strength of Wi-Fi or cellular signal
  • IP address
  • user agent information
  • unique identifier of your client

Changing the value to false prevents this disclosure. Interestingly, location determination through visible access points was made possible when Google deployed its Street View cars. As well as capturing images they also harvested a global database of public SSIDs.

  • network.dns.disablePrefetchFromHTTPS = true
  • netwotk.dns.disablePrefetch = true

Research has shown that by allowing DNS prefetching, in any browser, it is possible for a determined attacker to reverse engineer the search terms used in an online search [2]. This is done by either accessing DNS BIND logs directly or remotely snooping on the victim’s cache. Prefetching is almost always on by default. The only downside of disabling it is a slight increase in page load times.

  • Media.peerconnection.enabled = false

WebRTC was traditionally used to support voice and video calling directly within the browser without needing plug-ins. More recently it has seen adoption by content delivery network (CDN) providers such as Akamai. To facilitate this functionality, requests are made to STUN servers, which reveals the user’s real, deanonymized, public IP address, even if they are using a VPN. Meaning a user’s true IP can be revealed to any website that issues a STUN request to the user’s browser.

Marketers and tracking companies can utilise this flaw to gather your real information. This could be particularly effective if used in a phishing attack.

Google’s Chrome browser is the only major browser in which WebRTC cannot be disabled via the settings.

 


References

[1] Cimpanu, C. (2017). You Can Steal Windows Login Credentials via Google Chrome and SCF Files. [Online] Bleeping Computer. Available at: https://www.bleepingcomputer.com/news/security/you-can-steal-windows-login-credentials-via-google-chrome-and-scf-files/. [Accessed 29 July 2020].

[2] Krishnan, S. & Monrose, F. (2010). DNS Prefetching and its Privacy Implications: When Good Things Go Bad. University of North Carolina at Chapel Hill. Available at: https://www.usenix.org/legacy/events/leet10/tech/full_papers/Krishnan.pdf/. [Accessed 30 July 2020].

Imagery by Richy Great & Fuu J

 

Privacy Notice: Before leaving a comment, you must read and agree to the terms of the Privacy Policy. Some personal information is collected during this process.

Leave a Comment

Your email address will not be published. Required fields are marked *