Well, I guess Internet Explorer 7 doesn't have the ability to disable JavaScript features, like the resizing of windows, preventing context menu from opening (which I don't like it), disabling shortcut keys, etc.
It's not just a matter of switching to Firefox (which is not my preference) but I'm hoping Microsoft would implement the checkboxes to disable certain JavaScript features...
Securing Firefox: How to avoid hacker attacks on Mozilla's browser
by Ryan Naraine | July 9, 2007 2:15pm PDT | Image 1 of 11
Previous | Next
Getting started
Security problems with Microsoft's dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as an alternative for Web surfers.
However, Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks.
The following configuration changes, recommended by CERT/CC, can disable various features and set up the browser to run in a secure state, limiting the damage from malware attacks.
To get started, select Tools, then Options.
IMPORTANT NOTE: The images from these CERT/CC recommendations came from an older version of Firefox. On newer versions, the display screens will vary slightly but the advice/recommendations still apply.
Just In
The most important security add-on to firefox if you want to lock down the browser is NoScript. Not only does it have built-in XSS protection, but it will also sanitize Flash, Java, /and/ Javascript on a per-domain basis. That's much more secure than trying to live without javascript on all sites (which will just drive you to enable it dozens of times a day to use sites that require it).
http://noscript.net/
http://noscript.net/
I've my enterprise PCs secured, in part, with NoScript, as well as having trained my family and friends on using it.
If you install only one add-on it *HAS* to be NoScript!
Magic, there's no other word for it.
Magic, there's no other word for it.
I consider NoSCript a REQUIREMENT, not an optional add on. Install it, learn it real quick, and use it. Do not just allow everything, be selective.
They don't appear to be from the latest version (2.0.0.4). V 1.5 maybe?
Read the blog, try to understand it, then post. It was prominent in the blog that the screen shots were from an EARLIER version.
And so much for the "ha, ha". Only embarrassment is yours-they were plain enuff.
And so much for the "ha, ha". Only embarrassment is yours-they were plain enuff.
Why would someone put up a how-to on an outdated version? I look forward to ZD's series on how to secure Windows 95.
" They don't appear to be from the latest version (2.0.0.4). V 1.5 maybe?"
The latest version I believe is 2.0.0.11 (its even mentioned in the article)
The latest version I believe is 2.0.0.11 (its even mentioned in the article)
the screen shots do are not from 2,0,0,11 which I have
Again I repeat the quote with the key part highlighted:
"They don't appear to be from the latest version (2.0.0.4). V 1.5 maybe?"
I wasn't refering to the screen shots but what they said the latest version was. The poster said the latest version was 2.0.0.4 when the current one is 2.0.0.11...
Though now I'd like to correct myself since after I posted I noticed the date the comment I was posting in response too was older than I realized and it's possible 2.0.0.4 could have been the current version at time of posting.
"They don't appear to be from the latest version (2.0.0.4). V 1.5 maybe?"
I wasn't refering to the screen shots but what they said the latest version was. The poster said the latest version was 2.0.0.4 when the current one is 2.0.0.11...
Though now I'd like to correct myself since after I posted I noticed the date the comment I was posting in response too was older than I realized and it's possible 2.0.0.4 could have been the current version at time of posting.
enable cookies for the original site only is unfortunately no longer available in the latest FF 2.0.0.4 toolbar, which I run on both Windows XP and Ubuntu 7.04 (I haven't checked Gran Paradiso 3.0a6, which I'm using in a Vista partion). NoScript, which I run on all three partitions is a wonderful tool, which allows one to choose which sites are permitted to run script. The problem is that very few sites run a single script - when reading this particular article, for example, I am asked not only to determine whether I should allow script from zdnet.com (which I of course do - surely those lovely people at ZDNet would never do anything to harm me !), but also to do the same thing for i.com.com and pointroll.com, about which I know very little. Googling takes me to pointroll.com's website, which offers me ?rich media solutions?, but when I attempt to connect to i.com.com, I am informed that Firefox is unable to find the server. Some sites, like those for major newspapers, will be coupled to upwards of ten of these subsidiary sites, most of which presumably count the number of visitors, and all of which clamor for attention in NoScript. Under these circumstances, your average user is probably going to click to permit all of them simply to get rid of that annoying NoScript yellow warning bar at the bottom of the active window, thus greatly reducing the tool's usefulness as a security device. Websites badly need cleaning up, so that users aren't confronted with a plethora of URLs, all requesting access to their computers....
Henri
Henri
NoScript marks any site that you don't allow as untrusted. I just allow the main ZDNet site. Who needs the other stuff, I'm reading the blogs, not the ad's or the counters or the flash or the Java.
I also use flash block and Adblock with good results.
I also use flash block and Adblock with good results.
but imagine the situation from the point of view of the novice. Perhaps he or she wants to be able to make use of a link to view another article or see a screenshot slide-show, and doesn't know what to block and what not to block in NoScript. To mind, the owner of the main site - in this case, ZDNet - bears a certain responsibility to its readers to inform them which sites coupled to his/her/its own are essential for making use of links provided on the site and which are not, and to guarantee that the ones that are are not infected. (I understand perfectly well that in these situations, no guarantee can be 100 % - even the best of sites can become infected - but in the business world there exists a concept known as ?due diligence? which I find applicable here.) I think a discussion of the responsibility of website owners to readers in this regard is long overdue, and that Ryan's blog would be a not inappropriate venue for it. What does Ryan himself have to say on this matter ?...
Henri
Henri
I somehow manage to get through it. Things like double-click and the like, I blacklist, and for the uncertain stuff that may or may not be blocking my viewing, I temporarily allow them one by one till the site works for me. If I don't trust that site, I just go away.
Even then, NoScript is better than no NoScript.
Even then, NoScript is better than no NoScript.
Here is the domain and whois information for i.com.com
--------
DNS Lookup For I.com.com[b/]
;; Answer received from 216.145.1.3 (82 bytes)
;;
;; HEADER SECTION
;; id = 10362
;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 1
;; ra = 1 ad = 0 cd = 0 rcode = NOERROR
;; qdcount = 1 ancount = 0 nscount = 1 arcount = 0
;; QUESTION SECTION (1 record)
;; i.com.com. IN A
;; ANSWER SECTION (0 records)
;; AUTHORITY SECTION (1 record)
com.com. 300 IN SOA ns.cnet.com. hostmaster.cnet.com. (
2007070600 ; Serial
600 ; Refresh
300 ; Retry
1209600 ; Expire
300 ) ; Minimum TTL
;; ADDITIONAL SECTION (0 records)
IP Information for 216.145.1.3[b/]
IP Location: United States United States Seattle Compass Communications Inc
Revolve Host: 3.1.145.216.in-addr.arpa. 76400 IN PTR ns2.ccom.net.
IP Address: 216.145.1.3 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
Blacklist Status: Clear
Whois Record
OrgName: Compass Communications, Inc.
OrgID: CPCM
Address: 2001 6th Avenue
Address: Suite 3205
City: Seattle
StateProv: WA
PostalCode: 98121
Country: US
ReferralServer: rwhois://rwhoisd.ccom.net:4321
NetRange: 216.145.0.0 - 216.145.31.255
CIDR: 216.145.0.0/19
NetName: NETBLK-CCOM-1998
NetHandle: NET-216-145-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CCOM.NET
NameServer: NS2.CCOM.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-12-10
Updated: 2002-08-07
RTechHandle: IC122-ARIN
RTechName: COMPASS COMMUNICATIONS, INC.
RTechPhone: +1-206-777-9988
RTechEmail: Whois Privacy and Spam Prevention by DomainTools.com
OrgTechHandle: IC122-ARIN
OrgTechName: COMPASS COMMUNICATIONS, INC.
OrgTechPhone: +1-206-777-9988
OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com
--------
DNS Lookup For I.com.com[b/]
;; Answer received from 216.145.1.3 (82 bytes)
;;
;; HEADER SECTION
;; id = 10362
;; qr = 1 opcode = QUERY aa = 0 tc = 0 rd = 1
;; ra = 1 ad = 0 cd = 0 rcode = NOERROR
;; qdcount = 1 ancount = 0 nscount = 1 arcount = 0
;; QUESTION SECTION (1 record)
;; i.com.com. IN A
;; ANSWER SECTION (0 records)
;; AUTHORITY SECTION (1 record)
com.com. 300 IN SOA ns.cnet.com. hostmaster.cnet.com. (
2007070600 ; Serial
600 ; Refresh
300 ; Retry
1209600 ; Expire
300 ) ; Minimum TTL
;; ADDITIONAL SECTION (0 records)
IP Information for 216.145.1.3[b/]
IP Location: United States United States Seattle Compass Communications Inc
Revolve Host: 3.1.145.216.in-addr.arpa. 76400 IN PTR ns2.ccom.net.
IP Address: 216.145.1.3 [Whois] [Reverse-Ip] [Ping] [DNS Lookup] [Traceroute]
Blacklist Status: Clear
Whois Record
OrgName: Compass Communications, Inc.
OrgID: CPCM
Address: 2001 6th Avenue
Address: Suite 3205
City: Seattle
StateProv: WA
PostalCode: 98121
Country: US
ReferralServer: rwhois://rwhoisd.ccom.net:4321
NetRange: 216.145.0.0 - 216.145.31.255
CIDR: 216.145.0.0/19
NetName: NETBLK-CCOM-1998
NetHandle: NET-216-145-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CCOM.NET
NameServer: NS2.CCOM.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1998-12-10
Updated: 2002-08-07
RTechHandle: IC122-ARIN
RTechName: COMPASS COMMUNICATIONS, INC.
RTechPhone: +1-206-777-9988
RTechEmail: Whois Privacy and Spam Prevention by DomainTools.com
OrgTechHandle: IC122-ARIN
OrgTechName: COMPASS COMMUNICATIONS, INC.
OrgTechPhone: +1-206-777-9988
OrgTechEmail: Whois Privacy and Spam Prevention by DomainTools.com
Most of the secondary scripts are ads, and many of them run scripts that put tracking cookies on your computer. By leaving then blocked, you avoid loading many ads, and you get a lot fewer tracking cookies (which is much more effective than the former pref to allow cookies "from the originating site only" - that was removed because it wasn't really effective and gave users a false sense of security).
...that we "adapt the suggestions (to the version we're running)", how about an article geared to the current version?
One of the best security moves is to not run old versions.
One of the best security moves is to not run old versions.
...and it depends on what you define as "better". Any popular browser will be attacked by hackers, that's just academic. But consider how long of a gap there was between IE6 and IE7... Internet Explorer is built on a platform which stifles a brisk pace of innovation and adaptation, whereas the open source model allows this to happen rather briskly.
No one who knows their stuff will claim that FOSS (Free, Open Source Software) is perfect. No model of software production is going to produce perfection.
Better? Yes. FOSS is not released on a market timetable, it's released on "when it's ready". So the initial users after a release are not unknowing beta testers, as is typically the case with Microsoft software. "It compiled. Ship it!" is not a FOSS expression. So the software is generally better as it goes out the door.
In addition, look at the responsiveness of the different FOSS projects to bugs and security holes. Significant security holes are usually fixed in DAYS if not HOURS, as opposed to weeks, months or even years in the case of Microsoft software. Look at the record of response by the Firefox team to bugs and vulnerabilities as compared to Microsoft's IE team. Compare the number of security holes and their severity (and remember, if Microsoft finds it in-house, they don't report it--allow for that). Compare how quick the respective teams are to own up to them. Compare how quick they are to release a fix. Compare how easy it is to KNOW your fixes are up-to-date (a whole new version of Firefox vs. the maze of patches for MSIE).
And if you want the bigger picture, compare the underlying OS's. I know it's been more than once that a Firefox vulnerability under Microsoft Windows didn't exist under Linux, because Linux was designed with security in mind. MS Windows, by contrast, had security bolted on the side more or less as an afterthought. I would be interested in knowing how much more securely MSIE runs under Linux using the WINE compatibility layer (or if needed, a commercially-enhanced version of WINE, Crossover Linux) as opposed to running under Microsoft Windows. I suspect that even MSIE is less frequently compromised running under Linux with WINE.
Better? Yes. FOSS is not released on a market timetable, it's released on "when it's ready". So the initial users after a release are not unknowing beta testers, as is typically the case with Microsoft software. "It compiled. Ship it!" is not a FOSS expression. So the software is generally better as it goes out the door.
In addition, look at the responsiveness of the different FOSS projects to bugs and security holes. Significant security holes are usually fixed in DAYS if not HOURS, as opposed to weeks, months or even years in the case of Microsoft software. Look at the record of response by the Firefox team to bugs and vulnerabilities as compared to Microsoft's IE team. Compare the number of security holes and their severity (and remember, if Microsoft finds it in-house, they don't report it--allow for that). Compare how quick the respective teams are to own up to them. Compare how quick they are to release a fix. Compare how easy it is to KNOW your fixes are up-to-date (a whole new version of Firefox vs. the maze of patches for MSIE).
And if you want the bigger picture, compare the underlying OS's. I know it's been more than once that a Firefox vulnerability under Microsoft Windows didn't exist under Linux, because Linux was designed with security in mind. MS Windows, by contrast, had security bolted on the side more or less as an afterthought. I would be interested in knowing how much more securely MSIE runs under Linux using the WINE compatibility layer (or if needed, a commercially-enhanced version of WINE, Crossover Linux) as opposed to running under Microsoft Windows. I suspect that even MSIE is less frequently compromised running under Linux with WINE.
It's rare to find something carefully thought out and logically presented without a hint of slamming others.
Try 2.0.04. You may notice a big difference. Maybe you guys should open your mozilla firefox, go to Help, and select "check for updates"!!
Had you posted that story 2 or 3 years ago, it would have been pertinant. You are giving instructions about securing Firefox 1.x, while the current version is 2.0.0.4. Most of the submited tips are now pointless as the options are often NO LONGER THERE!
Did you really expect some tech whom use IE all the time to know that they were behind several versions of FireFox And wait till
3 comes out will leave IE in the dust but there are some features of 3 I do not like after reading about it
3 comes out will leave IE in the dust but there are some features of 3 I do not like after reading about it
Most are still there, just in vastly different places. As for me? I use the password-keeper all the time and have never once had a problem. In fact, I've actually recovered passwords I had forgotten because of it. Fancy that.
Microsoft thought the idea was so good that they also adopted password saving within IE7. In fact, so much of IE6 was Mozilla-like that it was uncanny. (There is some conjecture that Microsoft grabbed a copy of the source for an old copy of Mozilla and used it as basis for IE6, in fact. This is semi-borne out by the fact that IE6 and IE7 both respond to about:mozilla, but have a blank screen as result.
Microsoft thought the idea was so good that they also adopted password saving within IE7. In fact, so much of IE6 was Mozilla-like that it was uncanny. (There is some conjecture that Microsoft grabbed a copy of the source for an old copy of Mozilla and used it as basis for IE6, in fact. This is semi-borne out by the fact that IE6 and IE7 both respond to about:mozilla, but have a blank screen as result.
"This is semi-borne out by the fact that IE6 and IE7 both respond to about:mozilla, but have a blank screen as result."
One source I came across says that this is just Microsoft's way of poking fun at Mozilla:
http://www.safalra.com/hypertext/html/book-of-mozilla/
One source I came across says that this is just Microsoft's way of poking fun at Mozilla:
http://www.safalra.com/hypertext/html/book-of-mozilla/
I just had to uninstall the much admired Firefox. After the auto update to 04 took place, I kept getting a dialog box that would open and tell me to upgrade to the next version.
But it had already been done, so have no idea what was going on.
Finally decided to just dump it.
But it had already been done, so have no idea what was going on.
Finally decided to just dump it.
Just know then when you switch back to IE7, there would be no IE7 if there were no Firefox. Without the Firefox competition MS would have left you with IE6!
Firefox is worth the effort just to support a market where someone actually cares to make a better web browser and adopt new standards. No competition = no innovation just patch updates. I want more than that.
Firefox is worth the effort just to support a market where someone actually cares to make a better web browser and adopt new standards. No competition = no innovation just patch updates. I want more than that.
Download a new copy, and run with that. It shouldn't give you any hassles for updating it...
If you'd asked about that problem on the Mozillazine forums, you would have quickly been directed to this Knowledge Base article: http://kb.mozillazine.org/Updates_reported_when_running_newest_version
...this article is too embarased to reply about why they used an old version of Firefox.
The open source community has finally figured out that as popularity grows, so do attacks.
The all mighty Firefox isn't so all mighty after all.
Sounds to me like the advice we've all gotten for years for IE. Disable all valuable features and functionality and the browser is perfectly safe.
Too bad it's FF this time.
The all mighty Firefox isn't so all mighty after all.
Sounds to me like the advice we've all gotten for years for IE. Disable all valuable features and functionality and the browser is perfectly safe.
Too bad it's FF this time.
Sounds to me like the advice we've all gotten for years for IE. Disable all valuable features and functionality and the browser is perfectly safe.
I find the above a bit strange, since in FF, only Java is disabled (and how many sites actually USE Java nowadays?)
Reread that slide. Javascript is left enabled.
I find the above a bit strange, since in FF, only Java is disabled (and how many sites actually USE Java nowadays?)
Reread that slide. Javascript is left enabled.
They also recommend saving all media files to your HD instead of setting them to open with the appropriate plug-in. Apparently they think streaming media is too dangerous.
Hey, update firefox before you write about it. You confuse the issue for us non geek users. I hope you didn't get paid for this article and if you did you should give it back.
If you follow the link to the CERT page referenced in the story and scroll to the bottom of the page you'll see that CERT takes the unusual step of labeling the date and release of their pages. This one says:
Revision History
January 23, 2006 Inital Release
So the poster linked to an 18-month-old story. Not the first person I've seen who doesn't update their software all the time like some of us (he probably gets more of his work done than I do, too).
Kudos to CERT though, for dating their pages so you know how current the information is. And they do clearly mention the version their advice applies to.
Revision History
January 23, 2006 Inital Release
So the poster linked to an 18-month-old story. Not the first person I've seen who doesn't update their software all the time like some of us (he probably gets more of his work done than I do, too).
Kudos to CERT though, for dating their pages so you know how current the information is. And they do clearly mention the version their advice applies to.
Use your head...It does not have to be exactly the same to figure out what you need to do...
I haven't seen the ability to restrict the ability to set cookies to the originating site in a long LONG time.
I think I can find most, if not all other settings in the current version.
I think I can find most, if not all other settings in the current version.
His clear lack of awareness of just how different the current version of firefox is vs. a vs. the version that provides the screenshots from early 2006 means he simply should NOT be the one writing this article.
ZDNET get your act together! It's far better to just WRITE NOTHING than to to presume people will appreciate getting out-of-date information regarding a product they use from a person who writes from the point of view that he or she is knowledgeable, when they are clearly not.
ZDNET get your act together! It's far better to just WRITE NOTHING than to to presume people will appreciate getting out-of-date information regarding a product they use from a person who writes from the point of view that he or she is knowledgeable, when they are clearly not.
The info in the article is still valid for rev 1.9.0.5 Was it too much of a strain on you because Mozilla shifted the tabs ?
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
