Talk:Browser security

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing  (Rated Stub-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Stub-Class article Stub  This article has been rated as Stub-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 

Article POV[edit]

This article appears to be a poorly disguished attempt to promote software like Noscript and take shots a Google Chrome for not making APIs available for Noscript to work. Weighting doees not mirror the various browers share of the market, nor reflect the other security options available to protect browsers. I've addressed some of the concerns, but there's more before that tag can be removed. Socrates2008 (Talk) 10:25, 24 March 2012 (UTC)

Do you even understand the meaning of Wikipedia:Assume Good Faith at all? Did you not notice that I deliberately added that all browsers have security issues in the lead of it too?
I agree that security issues on all browsers should be covered, but I haven't done enough research into other browsers - The solution here is WP:SOFIXIT and write about what you know about the other browsers, not to remove the content that there *is* smile --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:38, 24 March 2012 (UTC)
I do. And I urge you to stop reverting my WP:AGF attempts to clean up this article and instead raise your concerns here. Also, if you remove the POV tag again without consensus here, I shall seek admin intervention. Socrates2008 (Talk) 10:43, 24 March 2012 (UTC)
I already have, and it's like you're deliberately trying to avoid a discussion... I already suggested what seems to be the best thing to do, and you didn't even reply to it - why? It's really really simple, if you think an article is "weighted" in having too much coverage for one browser, *add more about the other browsers*, WP:SOFIXIT, don't delete the content there is, bearing in mind it's a short article... Like I said, WP:AGF, the reason there's less coverage of other articles is because no one's wrote about it yet. If that's what you are angry about, why not add bits about the other browsers? --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:48, 24 March 2012 (UTC)
There's only seven links, and you've tagged it as 'excessive and inappropriate', what is the reason? --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:49, 24 March 2012 (UTC)
I see you reverted again without discussion, this time saying it's because the source is a "blog" and to look at the policy - have you, though, recently? Because it says there that there shouldn't be "Links to blogs, personal web pages and most fansites, except those written by a recognized authority. (This exception for blogs, etc., controlled by recognized authorities is meant to be very limited; as a minimum standard, recognized authorities always meet Wikipedia's notability criteria for people.)" (which then links to WP:V for the recognized authorities bit, which says: "Self-published expert sources may be considered reliable when produced by an established expert on the topic of the article whose work in the relevant field has previously been published by reliable third-party publications", which would be an accurate description of the people I quoted. The medium written on doesn't matter so much when someone is notable and it's verifiably written by them, it's no different than if they published it on their home page or a forum page on their site --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:57, 24 March 2012 (UTC)
Some of the external links are already linked in the article, therefore inappropriate to link again. There are several links to Mozilla webite when one will do. Links need to comply with the policy lest they suggest that WP is endorsing them. If a link is really that that important to the article, then write a paragraph about it to put it in content and add a reference Socrates2008 (Talk) 11:01, 24 March 2012 (UTC)
Wikipedia policy is created by people much smarter than you or me - unfortunately there's no room for individual editors to selectively override a core policy like WP:RELY when they see fit.Socrates2008 (Talk) 11:01, 24 March 2012 (UTC)
Wikipedia:Ignore all rules actually directly contradicts you there, when it makes sense it's perfectly reasonable to override rules - WP:5P - Anyone can write policies depending on who is around at the time, they are actually written often by children, check out Essjay. Policies aren't like some kind of infallible bible.
But that's not the real point, I just wanted to point that comment you said there is very, very wrong - what is the point is that they are within the policy, I explained why, and you don't even address that. The whole point of external links is relevant ones on the topic, they don't only have to be references depending on whether it's a site that you WP:IDONTLIKEIT... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 11:13, 24 March 2012 (UTC)
See next section for EL comments. No, policies may not be arbitrarily overriden, particularly over such a core issue as referencing. And with respect, if you're suggesting that WP is run by children, then I'm both surprised and disappointed, as you appear to have an established edit history here. Socrates2008 (Talk) 11:35, 24 March 2012 (UTC)

Issues with external links[edit]

  • Why is duckduckgo.com mention in the "See also" as well as the "External links section"? What's the heavy weighting, and what's the relevance to the article? Very simply, why should this not be considered as spam?
    • DuckDuckGo (like Ixquick) is only one of two rare search engines that have full security for browsers in that they do not engage in web analytics or collecting personal information for behavioral marketing. As for calling me a spammer again, do you really think either of those sites would encourage links to each other in any way given that they are competitors? Again, you need to WP:AGF, I only posted that stuff because I cared about trying to help people in general, as broken as Wikipedia is, there should at least be something on this even if it inevitably gets destroyed by people wanting to push a point... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 11:38, 24 March 2012 (UTC)
  • This has absolutely nothing to do with AGF. You need to explain in the article what the relevance is as it's not obvious - and the double linking just makes it look like spam. (This may help to explain what I mean.)
  • Mozilla.org is linked 3 times - why the prominence? NoScript and Adblock are both already internally linked in the article text (WP prefers internal links to external links)
    • Mozilla.org is not linked 3 times, you know that, it's not even linked once. Linking to pages about completely different subjects that happen to be on the same site is not the same. Especially when the other subjects (such as NoScript/AdBlock/BetterPrivacy/Flashblock aren't even owned by said website either... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 11:38, 24 March 2012 (UTC)
  • AdBlock & NoScript are already internally linked in the article, and therefore do not comply with WP:EL. Linking them again in this section is also giving them undue prominence.
  • What is the relevance of aolstalker.com to the article? Without any context, it looks like spam. Ditto for ixquick.com
  • "the only third-party certified search engine in the world that does not record your IP address or track your searches" is unreferenced and appears like an endorsement from Wikipedia.Socrates2008 (Talk) 11:24, 24 March 2012 (UTC)
  • The relevance is not obvious at all. If you think it's that important, then write a section on it, explaining why it's relevant and adding a reliable reference that supports this.

Referencing[edit]

[1] is an advertisement, and therefore fails WP:RELY. Socrates2008 (Talk) 11:44, 24 March 2012 (UTC)

No that is not an "advertisement", that is the official page... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 11:45, 24 March 2012 (UTC)
...where the software is being promoted. Promotional material does not meet WP:RELY - if you find an independent source, it will carry much more weight, and won't raise any eyebrows about bias. Socrates2008 (Talk) 11:55, 24 March 2012 (UTC)
It is an independent page though, Adblock Plus is not owned nor officially endorsed Mozilla Foundation in the same way that something on Google isn't owned by them... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 12:00, 24 March 2012 (UTC)
The text on the Mozilla site is submitted by the software author in order to promote his product. Find an independent reference, and no-one will doubt it. Socrates2008 (Talk) 12:05, 24 March 2012 (UTC)

Suggestions for article improvement[edit]

  • Cover security issues in browsers other than Firefox. For example browser helper objects in IE
  • Privacy issues are a whole subject on their own - tracking cookies, including mechanisms around countermeasures, like using Flash cookies or making people authenticate.
  • Using the principle of least privilege (not browsing the web as an admin).
  • User account control and Protected Mode
  • Some people believe that security issues in browser plugins like Adobe Flash, Reader & Java are now a bigger issue than those in the browsers themselves
  • Security update mechanisms in different browsers
  • Issues with rogue access points and other man-in-the-middle attacks
  • DNS hijacking
  • Session cookies have a whole host of issues
  • Certificate issues; 40bit security
  • Vulnerabilites in the SSL protocol
  • Keyloggers
  • Scareware popups

Socrates2008 (Talk) 12:37, 24 March 2012 (UTC)


  • Remote Browsing: An examination of the newly emerging strategy of complete hardware separation between the browser and the user's machine (browsing remotely while maintaining a functional user interface is currently being developed by Spikes, www.spikes.com). It is a technology that is now becoming functional, but I am not impartial (work for Spikes) so I will just suggest that the article be edited to mention this, previously dismissed, approach to browser security. (Spikes is currently in talks with the White House task force on cybersecurity to have remote browsing added to the technologies under consideration for future recommendations, so it may soon begin replacing sandboxing).

Alxfarr (Talk) 5 June 2013

external links[edit]

I removed a number of external links to search engines. While I'm sure its useful for people to know about search engines that have good privacy policies, this is not the article where they should be linked, as whether a search engine records your searches has about zero to do with which browser you are using - Internet privacy would be more appropriate place for such links. I've kept for now the links to AdBlock/NoScript etc, but the section on these needs to be trimmed down, there is too much detail on why a particular developer of a particular piece of software isn't putting that software inside a particular browser. If you like, I could do this, but want to give MSK a chance first. Additionally, it would be great, as Socrates2008 suggests, to cover some of the other browser security issues, rather than focusing so much space on one or two scripts for Firefox. I think this is an important article, so glad there is attention being paid, but it should focus on the issues particular to browsers, and not to more generic internet exploits or generic privacy issues. --Karl.brown (talk) 23:53, 24 March 2012 (UTC)

rewrite[edit]

This is my suggestion for a rewrite. Many of the points mentioned in the article presented a limited view of browser security. This should address most of the mentioned issues. You all will need to find additional supporting references.

Browser security is the application of Application security to web browsers to protect computer systems (and potentially networks) from harm or breaches of privacy. Browser security Browser exploit often use Mobile code technologies such as JavaScript, ActiveX, Java, or they may compromise the browser itself ref-http://www.cert.org/tech_tips/securing_browser/#features

Description[edit]

Breaches of browser security are usually for the purpose of bypassing protections to install Malware. As computer operating systems security has been increased, attackers have had to resort to attacking the programs running on the PC's. Most often, the only service available to a remote attacker is the browser. In drive by download attacks, malicious code is uploaded to a compromised (but legitimate) website, or displayed via an advertisement. In addition, the attacker may host the code on a dedicated web server of their own. In some cases, malicious code on the webserver automatically runs and exploits a vulnerability in the web browser itself, or in plugins running within the browser. In other cases, a user is deceived into executing the code. After successful exploitation of the initial attack, the attacker may establish further, more permanent access to the system, generally by either pivoting services, or by downloading additional software to retain access.

Prevention[edit]

Whilst many vulnerabilities are in the software itself and can only be prevented via keeping browser software updated with patches, ref-http://itsecurity.vermont.gov/threats/web_attacks some subcomponents of browsers such as scripting, add-ons and cookies are particularly vulnerable to attack and also need to be addressed. The US National Security Agency recommends using a web browser with sandboxing capabilities, which will contain most of the effects of exploitation to the browser itself. If using a web browser with a PDF plugin, either disable this component if not needed, or insure that the PDF runs in protected mode. The NSA also recommends disabling scripting within the browser (though this may limit functionality in many websites) by using add-ons such as NoScript(Firefox), NotScript(Chrome), or Internet Options(IE).ref-http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf In addition, individuals may want to block advertisements to prevent malicious ads from being displayed. Most browsers have some form of adblocking technology or add in.

-- Sephiroth storm (talk) 15:45, 27 March 2012 (UTC)

Rewrite - broadening scope[edit]

I rewrote hopefully broadening the scope of this article covering the issues above. It is a bit rough for now, and needs polishing. Widefox (talk) 14:55, 11 April 2012 (UTC)