Exactly how secure is your browser? How much information can be extracted from your online browsing profile?
Why do you seem to see ads related to things you have searched for, recently bought, or read about?
What is the cost of having your profile completely exposed?
How can you better protect your online privacy?
This article hopes to help you answer these and other questions and provide ways to better protect your online privacy.
It is important to note that companies that make browsers we use most often, the likes of Google (Chrome), Mozilla (Firefox), Apple (Safari), Microsoft (Edge), Opera, etc. Try as much as possible to protect users and their personal information when using these products.
Therefore, this article is not aimed at undermining those efforts but to help you, the user, make educated choices when using these and other browsers for various activities.
The Internet is our gateway into the world, to help us reach anywhere virtually for information, trade, business, communication, and all other needs and necessities. Hence, the need to secure ourselves as we would ordinarily do in the real world, as not everyone on the Internet has honest intentions.
While you may have anti-viruses on your computer that block all kinds of computer malware, your browser may also be vulnerable. Let’s take a deep dive into some possible vulnerabilities.
XSS (Cross-Site Scripting)
Cross-site scripting can simply be described as a code injection (usually, Javascript code). The aim of this kind of attack is to compromise the security of a web application via the client (mostly via browsers). Attackers aim to use this kind of attack to exploit weak validations and a lack of Content security policy (CSP) on some web applications.
There are different kinds of XSS; let’s take a closer look at what they are and how they can be used.
Reflected XSS
This is a very common type of XSS used to toil with the client-side of an application. The code injected here is not persisted in the database but is expected to elicit a response from the application’s client-side. Hence the name ‘reflected.’ This attack works successfully in a case where the application takes in user input and returns that input after some processing without saving it to the database.
A common example is a miniature chat forum, where the messages do not persist in the database. In such cases, the application takes in user inputs and outputs them as HTML. An attacker could enter a malicious script into that chat forum, such as changing the app’s design or colors by entering some CSS in script tags.
It could get worse for other users of the application because the script will essentially be executed on their browsers, which could lead to information theft, like stealing your auto-fill information saved on the browser. Lots of users prefer saving commonly typed information on forms like names, addresses, and credit card information, which in this case, is a bad idea.
DOM XSS
DOM – Document Object Model, is the programming interface that interprets the HTML (or XML) used on webpages and hence defining the logical structure of that particular webpage. This type of XSS exploits web applications with unsafe-inline javascript code in the markup that makes up the webpage. XSS used here can be used to directly modify the DOM. This could be used to alter almost any part of the webpage the user interacts with, which could lead to phishing.
Stored XSS
This is a type of XSS where malicious code is not only reflected back to the user but also persisted (stored) to the database of the web server on which the web application is hosted. This type of XSS is even more dangerous because it can be re-used to attack multiple victims because it is stored (for later use). This can be the case where form submissions by users are not well validated before being sent to the database.
Generally, XSS could be of any type in combination; a single attack could be both reflected and persisted. Techniques employed in executing the attack may also vary but contain commonalities with those mentioned above.
Some major browsers, like Chrome and Edge as a security feature, developed their own client security protocols to avoid XSS attacks known as X-XSS-Protection. Chrome had the XSS Auditor, which was introduced in 2010 to detect XSS attacks and stop such webpages from loading when detected. This was, however, found to be less helpful than initially hoped and was later removed after researchers noticed inconsistencies in its results and cases of picking false positives.
XSS attacks are a difficult challenge to tackle from the client side. The Edge browser also had the XSS filter, which was later retired. For Firefox as the MDN (Mozilla Developer Network) website has it,
Firefox have not, and will not implement
X-XSS-Protection
Third-party Tracking
Another important part of establishing your online privacy is to be savvy about third-party tracking cookies. Cookies are generally considered good on the web as they are used by websites to uniquely identify users and to be able to tailor the user’s browsing experience accordingly. Such is the case for e-commerce websites where they use cookies to keep your shopping session and also keep the items you have added to the cart.
These kinds of cookies are known as first-party cookies. So when you are browsing sites on geekflare.com, cookies used by geekflare.com are first-party cookies (the good ones).
There are also a few cases of second-party cookies, where websites offer (or sell) their first-party cookies to another site to serve ads to the user. In this instance, the cookies could be considered as second-party. Third-party cookies are the large ads-driven cookies that are used for cross-site tracking and re-targeted advertising.
These are cookies put on users’ browsers without knowledge or consent of the user to get information about the user and all kinds of data profile, like websites the user visits, searches, the ISP (Internet Service Provider) the user uses, the laptop specs, the battery strength, etc. This information is used to form an internet data profile around the user, such that it can be used for targeted advertisements. Attackers who steal this type of information usually do this a type of data mining and can sell this data to large advertising networks.
Firefox, in September 2019, announced that it would be blocking third-party tracking cookies by default on both the desktop and mobile browser. The team referred to this as Enhanced tracking protection, which is indicated on the address bar of the browser with a shield icon.
The Safari browser in Apple devices also blocks third-party cookies from tracking their users across the web.
On Chrome, the third-party tracking cookies are not blocked by default. To enable this feature, click on the three vertical dots on the top right-hand corner of the browser window to reveal a dropdown, then click settings
, on the settings tab, to the left, click privacy and security
, then click site settings
, then click cookies and site data
, then toggle the option that reads Block third-party cookies
.
Cryptominers
Some websites on the Internet contain crypto-mining script either by the owner of the website or by a third-party. These scripts enable the attacker to utilize the victim’s computing resources to mine cryptocurrencies.
Although, some website owners do this as a means of funding usually when they provide free services and argue that its a small price to pay for the services they offer. These sets of websites usually leave messages for the user to be aware of the cost of using their service. However, many other websites do this without informing the user. Which could lead to serious PC resource usage. Hence, it is important to have these things blocked.
Some browsers have in-built utilities to block such scripts such as Firefox, which has a setting to block cryptominers on both web and mobile. Likewise opera. For Chrome and Safari, extensions are required to install on your browser to achieve the same.
Browser Fingerprinting
As defined on Wikipedia,
A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification.
A browser fingerprinting is fingerprint information collected via the user’s browser. A user’s browser can actually provide a lot of information about the device is used. Different exploits are used here even html5 `<canvas>` tags have been known to be used for fingerprint. Information like device specs such as device memory size, device battery life, CPU specs, etc. A piece of fingerprint information could also reveal a user’s real IP address and geolocation.
Some users tend to believe that using incognito mode on the browsers protects from fingerprints, but it doesn’t. Private or incognito mode isn’t truly private; it only doesn’t save cookies or browsing history locally on the browser; however, this information would still be saved on the website visited. Hence fingerprinting is still possible on such a device.
Web RTC Leaks
Web RTC (Real-Time Communication). Web RTC came as a breakthrough for real-time communication over the web. According to the Web RTC website.
With WebRTC, you can add real-time communication capabilities to your application that works on top of an open standard. It supports video, voice, and generic data to be sent between peers, allowing developers to build powerful voice- and video-communication solutions.
Interesting as it is, In 2015, a GitHub user (‘diafygi’) first published a vulnerability into Web RTC which reveals lots of information about a user, such as the Local IP address, public IP address, the device’s media capabilities (such as a microphone, camera, etc.).
He was able to do this by making what is known as STUN requests to the browser to divulge that information. He published his findings here -> https://github.com/diafygi/webrtc-ips
.
Since then, the browser has implemented better security features to protect against this; however, the exploit has also been made better over the years. This exploit still remains till today. By running simple security audits, a user would be able to see how much information can be gotten from a Web RTC information leak.
On Chrome, some extensions can be installed to offer RTC leak protection. Likewise on Firefox with addons. Safari has an option to disable Web RTC; however, this may impact the use of some real-time chat web apps over the browser.
Browsing through a proxy
Free web proxies seem to help you get better privacy by bouncing your web traffic over ‘anonymous’ servers. Some security experts have concerns over how much privacy this provides. The proxies may shield a user from the open Internet but not from the servers where the internet traffic goes through. Hence, using a malicious ‘free’ web proxy built to harvest user data could be a recipe for disaster. Instead, use a premium proxy.
How to test browser security?
Browser tests give you an insight into just how much information could an attacker derives from you via the browser and what you need to do to stay protected.
Qualys BrowserCheck
BrowserCheck by Qualys does a quick check on your browser for tracker cookies and known vulnerabilities.
Cloudflare ESNI Checker
Cloudflare does a quick check on your browser’s DNS and TLS stack for vulnerabilities.
Privacy Analyzer
Privacy Analyzer scans your browser for any type of privacy loopholes, including fingerprint analysis.
Panopticlick
Panopticlick offers to test for third-party tracking cookies, and also offers a chrome extension to block further tracking.
Webkay
Webkay provides a quick view of what information your browser readily gives out.
SSL/TLS Compatibilities
Check if your browser is vulnerable to TLS vulnerabilities.
How’s My SSL?
All-round SSL level checks on your browser. It tests for TLS compression, Cipher suites, session ticket support, and more.
AmIUnique
Are you?
AmIUnique checks if your browser fingerprint has been in any previously collected fingerprint in the world.
How to harden browsers?
You need to be more proactive with their privacy and security, hence the need to be sure of what security setting in available on the browser. Every browser has privacy and security settings, which grants the user control over what information they can give out to websites. Here is some bit of guidance on what privacy settings to set in your browser.
- Send ‘Do not track’ requests to websites
- Block all third-party cookies
- Disable ActiveX and flash
- Remove all unnecessary plugins and extensions
- Install privacy extensions or addons.
Use a privacy-focused browser on mobile or desktop.
You may also consider using a premium VPN, which offers invisibility over the Internet from trackers, scanners, and all kinds of information loggers. To be truly private on the Internet is with a VPN. ‘free’ VPN services, however, have similar problems discussed above on free proxies, you are never sure about which web server your traffic is going through. Hence the need for a reliable VPN service, which will provide much better security.