Web Browser Security

Overview -
Your browser can expose your private information, allow harm to your workstation, or just display bogus information.

To access and display information from remote servers, your browser makes connections over the Internet. The requests and responses are in plain text and can be read or altered by anyone with access to some part of the Internet path between your browser and the server. Additionally some responses contain active content such as scripts and programs which may send information back to the server, install Trojans, or cause harm to your workstation.

Security -
Privacy, integrity, and authenticity are security goals that can be accomplished by using the built-in capabilities and features of your browser. Privacy assures that your information is seen only by authorized persons and services. Integrity assures that the information is intact and that your workstation is not harmed. Authenticity assures that your browser and the server have been correctly identified, and that all requests and responses are between those two parties and none other.

These goals are accomplished by use of cryptography, authentication, and browser restrictions. Cryptography is used to assure the privacy and integrity of the requests and responses. Cryptography scrambles such messages so that they can be read only by others who know the key. Cryptography is used to assure message integrity, continuity of authentication, and even authentication itself. Authentication assures the identity of the parties to a communication. Restriction blocks use of risky or undesirable methods.

The primary cryptographic technology used by browsers is Socket Layer (SSL). SSL provides authentication of the remote server and privacy and integrity of the connection to that server. Once such a secure connection is established, the web site can use forms or HTTP Basic Authentication to identify you, their customer.

Security Strength -
The strength of a particular cipher depends on its method, its key size, and associated handling procedures. All of these must be correctly implemented or the cipher is weakened. The key is a number that is used to control the mathematical method used to encrypt and decrypt message contents. Specific procedures must be used to generate the key, store the key, and exchange the key.

Browsers generally come with one or two standard levels of cipher strength, 128-bit key and 40-bit key. The United States Government restricts export of strong ciphers, so the 128-bit key versions may be referred to as "USA/Canada" or "Domestic" versions. The 40-bit versions still use a 128-bit key but only 40 bits of the key are secret. These 40-bit key browsers may be referred to as "Export" or "International" versions. Most older, downloadable browsers are of the weak, 40-bit kind.

Do not click on any Install Certificate button or equivalent for your browser unless you are very, very sure that you want to blindly trust that Certificate Authority in the future. See the individual browser version descriptions to find out the CA certificates that your browser considers "Authorities". In most cases it is better to manually approve the occasional use of certificates for the few times that you will use them rather than to install their CA certificate.


NEXT >>>