Plug-In and ActiveX Vulnerability
Nearly 200 plug-ins are a available for Navigator and Internet
Explorer. In addition , Internet Explorer supports numerous ActiveX controls,
which expose the same vulnerabilities as plug-ins can do anything that you
browser can. From a penetrator's perspective this means that a plug-in case
cause any sort of damage. With nearly 200 available plug-ins to choose from,
what do you think the chances are that one of them contains an exploitable
security vulnerability?. The same holds true for ActiveX controls. Just because
security is signed , it doesn't mean that it is error free. Due to the
capability to invoke plug-in functions and ActiveX control methods from java
and javascript , what do you think is the likelihood of a plug-in or ActiveX
vulnerability being exploited.
As an example of this type of risk, consider the programs that are
available for viewing Microsoft word documents. With that capability to embed
macros in a word document, what do you think is the likelihood that a macro
virus could be like mine, you have probably had your share of macro virus
attacks.
Plug-ins and ActiveX controls pose a potential risk to browser
security. The more of them you use, the greater the risk. Fortunately , there
is an easy way to lower this risk only install the ones that you absolutely
need.
Protecting Financial Information
If you plan on purchasing any merchandise or performing other types of
financial transactions over the web, you should be aware of the security mechanisms
being used by your browser. The lower left corner of the Navigator window
displays an indicates that no encryption is being used. A solid key with a
single tooth indicates that international security (40 bit) encryption is in
use. A solid key with two teeth indicates that domestic security (12 bit )
encryption is in use.
Both international and domestic security use the Secure Layer (SSI) for
encryption . SSI uses public key cryptography to exchange keys that are used
for private key encryption. Digital certificate are used to verify the identity
of the organization with you are communicating.
How strong is the security provided? If no encryption is used , then
you should assume that whatever information you send can be intercepted.
If international (40 bit) encryption is used , then your encrypted
communication is probably secure from a hacker without many computational
resources , but not from anyone else. This encryption scheme has already been
broken several times.
If domestic (128 bit) encryption is used, then you are probably secure
from most droppers. However, absolute security cannot be guaranteed . SSL only
protects information while it is in transit. Whatever information you send is unprotected
before it is transmitted by your browser and after it is received by the
server.
Maintaining Privacy
How private is your interaction with the web? Not very private.
Whenever you request a document from a Web server, your request is usually logged
by that server. The log record doesn't identify you by name, but it does
include your IP address. It you use a static IP
address, then you are positively identified. If you use a dynamic IP
address, then the log information could apply to other users of your Internet
service provider.
Both Navigator and Internet Explorer support cookies. When cookies were
first introduced, they were the subject of some concern. Because they can be
used to maintain information about a user on the user's browser , cookies were
looked at as the instrument of big brother. As it turns out, cookies can be
used to maintain information about users that was their original in tent. It
this a problem? It depends . If you look at cookies as a way to improve web
services, then you will want to keep them. If you look at cookies as a means to
spy on you, then your best is to periodically delete your cookies files. This
will let you use cookies when you need to and will make it difficult for anyone
to maintain consistent information about you. You can also make your cookie
files read only.
No comments:
Post a Comment