SEI Insights

CERT/CC Blog

Vulnerability Insights

Reference Implementations for Securing Your Web Browser Guidelines

Posted on by in

It's Will again, with the first blog entry of 2009. Our Securing Your Web Browser document describes how to make your web browser more secure, but applying all of the necessary changes can be a bit tedious. To make the process easier, we developed reference implementations of the guidelines for both Microsoft Internet Explorer and Mozilla Firefox.

Web browsers have many features, such as ActiveX, Java, and JavaScript, enabled by default. While these features give web sites extra functionality, they also give your web browser a larger attack surface. The primary goal of the Securing Your Web Browser guidelines is to explain how to disable these defaults while allowing the user to decide which sites should be allowed to use the features. For example, you may want to allow JavaScript for a website that hosts your email, but you wouldn't want a random website that contains a piece of malware to use it.

See the original guidelines for details about configuring and using your secured browser. The following sections describe how to use the reference implementations.

Mozilla Firefox

The implementation of the recommended settings for Mozilla Firefox 2.x and Firefox 3.x is available in a user.js file. To use these settings:

  1. Install NoScript using Firefox.
  2. Download the user.js [sig] file into your Firefox profile location.
  3. Restart Firefox.

The settings specified in the user.js file will override any of the corresponding settings that you have set. The advantage of this behavior is that if the user.js file is removed, then Firefox will behave as it did before the change. The disadvantage is that the settings that are specified in this file cannot be set by using the Firefox preferences GUI.

To apply site-specific security settings, use the NoScript add-on. This component gives the browser the ability to whitelist sites so that you can enable features such as JavaScript, Java, and other plug-ins. You can add a site to the whitelist either permanently or temporarily (until the browser is closed) by clicking the NoScript icon.

Internet Explorer

The recommended settings for Internet Explorer 6 and Internet Explorer 7 are available as a Windows registry file. To incorporate these changes, simply open the ie_sywb.reg [sig] file to merge the changes into the registry. Note that this will overwrite the existing security settings for the web browser. If you use Internet Explorer 7, you can undo the changes by clicking the "Reset all zones to default level" button.

To apply site-specific security settings, use the Security Zones feature of the browser. The Internet Zone, which is the default zone for sites on the internet, is locked down with high security settings, while the Trusted Sites Zone is configured to be the equivalent of the default Internet Zone for Internet Explorer. This way, Internet Explorer uses high security settings by default, and as you encounter sites you trust that need extra features, you can add them to the Trusted Sites zone. The easiest way to add a site to the Trusted Sites zone is to

  1. double-click the zone indicator icon near the bottom right side of the screen
  2. click the Trusted sites icon
  3. click the Sites... button

This dialog allows the user to add the current or other sites to the Trusted Sites zone. Wildcards are also supported. For example, a user can add "*.cert.org" to the list, and any site that resides on the cert.org domain will be trusted.

The initial reaction to a secured web browser may be that sites no longer work, because you are now responsible for deciding which sites can use features that may provide additional functionality but at the same time are more dangerous, such as ActiveX and Signed Java Applets. As time goes on, the sites that you visit regularly will be added to your Firefox NoScript whitelist or Internet Explorer Trusted Sites Zone, and those sites should work fine with minimal user interaction. However, you now have significant protection against malicious web sites, including sites that you have not visited before, such as one that may be linked to from a malicious email message, or sites that you may reach when a trusted site is compromised with an injected IFRAME to a malicious site. In both of these cases, you will be protected against the majority of vulnerabilities that affect web browsers.

One tip to getting sites to work properly with your secured browser is to be aware that some sites use multiple domains, several of which may require restricted features, such as JavaScript. For example, a Yahoo! Mail user would need to allow both *.yahoo.com and *.yimg.com. Or YouTube users would need to enable both *.youtube.com and *.ytimg.com. NoScript clearly indicates which domains are available to add to the whitelist; however, Internet Explorer does not have this ability.

Customization

Both the Mozilla Firefox and Microsoft Internet Explorer reference files are annotated to describe which settings they will change. Feel free to view and modify them to suit your own needs if necessary.

About the Author

Will Dormann

Contact Will Dormann
Visit the SEI Digital Library for other publications by Will
View other blog posts by Will Dormann