Tuesday, June 02, 2009

More comments on CERT's security guide for browsers; more comments on spy cookies


As noted here last August, CERT (Computer Emergency Response Team Coordination Center at Carnegie Mellon) offers a paper by Will Dormann and Jason Rafail, “Securing Your Web Browser,” that is an excellent overview of the “real dangers” in ordinary web surfing at home. (Yup, the title of this posting reminds me of a "More Streets and Roads" reading textbook in Third Grade, back around 1952.)

The paper is constructively critical of some features of popular browsers. Microsoft Internet Explorer depends on ActiveX technology to run many applications, but Microsoft has experienced vulnerabilities that have required numerous patches.

When people take beginning java courses, they usually learn that java code is executed by a Java Virtual Machine and that the code lives inside an “applet” provided by a website. Although applets are supposed to run in a “sandbox” (no reference to Joshua Cooper Ramo’s “sandpiles” here), some applets and websites bypass these restrictions, as with “unsafe code”.

Plug-ins can contain unsafe code also, allowing for buffer overflow.

The paper discusses cookies, which identify a visitor to a website. Cookies that remain on user’s computers could allow hackers to gain unauthorized access to the originating sites.

The link for the paper was given in the August 11, 2008 entry (q.v., label below).

Benjamin Edelman has an interesting essay “Cookies Detected by Anti-Spyware Programs: The Current Status,” link here.

He offers a chart on how various vendors (including McAfee, Norton, and Spysweeper) react do different kinds of cookies, and comes to the conclusion that cookie deletion by commercial anti-spyware packages doesn’t always serve the consumer’s interest. Cookies, improperly deployed, could become more dangerous to the web server than the user. Cookies would seem to allow vendors to obtain significant information about visitors (consider, for example, Nielsen Ratings, which will pay selected visitors to be tracked just as with television). There is a small but definite danger that hackers could then get information about the visitors through the site. But the “danger” of spy cookies may be overrated.

Nevertheless, in my own experience, I found that using Spysweeper (as well as Regure and in addition to McAfee) caused my older machine’s performance to improve-- significantly. I wonder what that means.

No comments: