For a while now I’ve been using different web browsers to compartmentalize my risk. Most of my primary browsing is in one browser, but I use another for potentially risky activities I want to isolate more. Running different browsers for different sessions isolates certain types of attacks. For example, unless someone totally pwns you with malware, they can’t execute a CSRF attack if you’re on the malicious site in one browser, but using a totally separate browser to check your bank balance. Actually, to be totally safe you shouldn’t even run both browsers at the same time.
Last night I was talking with Robert “Rsnake” Hansen of SecTheory about this and he finally convinced me to take my paranoia to the next level.
Here’s the thing- what I’m about to describe may be overkill for many of you. Because of what I do for a living my risk is higher, so take this as an example of where you can take things, but many of you don’t need to be as paranoid as I am. On the other hand, Robert is at even higher risk, and takes even more extreme precautions. I also purposely use a combination of virtualization and browser diversity to further limit my exposure. In all cases there are completely different applications, not just instances of the same platform.
My web browsers break out like this. I won’t list which specific browsers I use except in a few cases:
- Everyday browsing: low risk, low value sites. I use one of the main browsers, and even use it to manage my low value passwords.
- Everyday browsing 2: slightly higher risk, but even lower value. Basically, it’s the browser in my RSS reader.
- Blog management: a third browser dedicated to running Securosis. This is the bit Robert convinced me to start. I use it for nothing else.
- Banking: Internet Explorer running in a Windows XP virtual machine. I only use it for visiting financial sites. To be honest, this is as much a reflection of my bank’s web app as anything else. I can deposit using my scanner at home, but only in IE on Windows.
- High risk/research: a browser running in a non-persistent Linux virtual machine. Specifically, it’s Firefox running off the Backtrack read-only ISO. Nothing is saved to disk, and that virtual machine doesn’t even have a virtual hard drive attached.
This setup isn’t really all that hard to manage since it’s very task-based. Now the truth is this only protects me from some (major) web based attacks. If my system is compromised at the host OS level, the attacker can just capture everything I’m doing and totally own me. It doesn’t prevent the browser from being that vector, so, like everyone, I take the usual precautions to limit the possibility of malware on my system (but no AV, at least not yet).
For average users I recommend the following if you don’t want to go as far as I have:
- One browser for everyday browsing. I like Firefox with NoScript.
- Another for banking/financial stuff.
- If you go to “those” sites, stick with a virtual machine. Oh, don’t pretend you don’t know what I’m talking about.
Reader interactions
10 Replies to “Making The Move To Multiple Browsers”
Percival filed under: firefox hacks, news [Rich] over at Securosis takes us through some of his browser paranoia exercises. He uses different browser profiles for different types of web activities. Based on potential risk,
different browsers for different things, as I wrote about here. At a minimum, dedicate one browser just for your
Rich,
I’‘m one of the DOD contractor types. I caught your panel today at the AFEI show in Bellevue. I have to say that it was the funniest / most fun panel of the day. We’‘ll see what tomorrow brings.
I’‘ve taken to using Prism single-site-browsers (SSB)‘s for my frequently visited sites and online banking. I also use noscript and adblock to minimize my exposure. Generally scripts aren’‘t turned on unless the site comes up blank.
Most extensions don’‘t directly support Prism, but hacking the XPI files to do so is pretty trivial.
Dave
@ Kevin
You are correct that Linux, browsers limitations, and su/sudo are good things. However, you are not correct that running Firefox in a non-privileged account will somehow reduce risk in the face of an intelligent adversary. It’s not a problem for them. There are so many privilege-escalation vulnerabilities out there—it would be classically stupid to assume that anyone who knew how to write a remote buffer overflow or directory traversal couldn’‘t also bust root from a chroot’‘d nobody.
Does running Firefox as a low-privileged user under Linux prevent random drive-by attacks such as those from a worm that uses buffer overflows? Most of the time, historically, and would I bet on it? Yes.
Does running Firefox as a low-privileged user under Linux prevent web application worms (e.g. those using XSS+CSRF)? Not at all if you don’‘t use NoScript—and even then there are ways around it such as attacks at the presentation (HTML/CSS) layers. The fact that you run Linux or as a low-privileged user has nothing to do with these classes of vulnerabilities.
Even if you’‘re constantly su’‘ing to root, that doesn’‘t mean you’‘re running your *browser* as root. That would require a special kind of idiocy. Sort of like running Windows by choice…
Rich, who feeds you bullshit? I am willing to be 90% of security guys run under local admin on their personal machines (if not on Windows, they’‘re constantly su’‘ing to root).
I myself, use IE on Intranet/RFC1918 addresses and use multiple Firefox profiles as Dre described to protect myself in addition to NoScript, CookieSafe, SafeHistory, SafeCache, AdblockPlus, RefControl and RequestRodeo.
Simultaenous use of Firefox profiles to guard against CSRF attacks
That’s what I do, but I do it out of a virtual machine so I don’‘t have to reboot.
@rich- let’s be honest, most people run as local admin. Maybe not us security geeks, but nearly everyone else, especially on Windows.
@giomini- no browser is immune, and the most secure browser in the world doesn’‘t do anything against CSRF, one of the main reasons for running separate browsers. Thus even on Linux, I suggest multiple browsers.
What about using a live CD for ‘‘risky’’ browsing?
Who the hell runs a system as a local admin? If you think that’s how to use a computer you might as well garrote yourself with an ethernet cable now…
@ fatbloke
Sure, you missed the fact that plenty of people run as local admin. All you need is one to start searching Google for classic ASP websites and performing SQL injection into their database, which in turn spreads the worm with more Javascript hosted on the site via the ownership of the SQL Server.
Thwarted as in “not running the local backdoor”, yes. Thwarted as in “stops the worm”, no.