Browsers have become extremely complex over the last few years, so does everyone fully understand everything a modern browser does? Of course everyone is familiar with the point and click, redirections, forms . . . normal Web stuff. What you might not know, is that your browser does a lot of things automatically without you asking it to. These “helpful” features represent potential security risks, and it’s important that you are at least aware of them, so you can adjust your browsing behavior accordingly.
The Trouble with Some Browser Optimizations
Modern browsers have a lot of optimizations to make sure your pages load quickly. A few of the most interesting—and potentially harmful—optimizations are little known, but can represent serious breaches in privacy or undesired actions being taken without your knowledge. Not necessarily because you are targeted by an attacker, but because you’re not aware that your browser is doing these things in the background.
A few of these include:
1) DNS prefetching. DNS prefetching is a feature of most browsers that will look at all the links on a page, and automatically pre-resolve the DNS record. In other words, it will look up the IP address those links point to so that when you click on them, it already knows where to send you. However, if an attacker puts a hidden link on a page that points to their own domain and sets up his own DNS server, he can actually be notified when you view the page and get your IP address—even if you never click the link. This is bad especially in the case of emails and forums. If an attacker puts a link in an email that used this technique, he can basically be notified when you read the email (without you being able to stop it). Some webmail clients protect from this type of leak, but not all.
2) Page prefetching. In some browsers, most notably Chrome, when you type an address into the URL bar, it will actually go request the page before you finish typing. In this way, the target server can tell what you type as you type it and, in some cases, it can accidentally request a page that causes some adverse action on the user. For example, it might request the URL that deletes your account, even though you wanted a different URL that started with the same characters (an unlikely example, but hopefully you get the point). So as you type, your account would get inadvertently deleted, and when you finish typing the full URL, your account won’t exist anymore.
3) Session Cookies. Some browsers, most notably Chrome, do not delete session cookies when you clear your cookies. This means that even if you clear your cookies, sites can still keep tracking you until you close your browser. Most other browsers delete session cookies when you clear all cookies, so this behavior is somewhat unintuitive and unexpected. It is something users should be aware of.
4) Plugins. Many useful plugins exist for most browsers, but each plugin operates with an immense amount of privileges. They can look at everything you do, mess with content on your system, and make requests without you knowing. A great example is the plugins commonly shipped with antivirus applications. These plugins are designed to warn you when you visit a malicious page. However, in order for the AV vendor to know you’re visiting a malicious page, they need to know every page you do visit. This means that as you browse the Internet, the entire sum of your Internet activity is being silently shipped to a third party. Usually it’s a fairly trustworthy entity the data is being sent to, so not too much concern there, but if that company ever gets breached, it’s possible your entire browsing history (even after you clear it locally) would be exposed to the attacker. Worse yet, some of these plugins don’t bother encrypting such data, so it gets sent around in cleartext for anyone sniffing Wi-Fi traffic to look at. Users should be EXTREMELY cautious as to which plugins they install, and should make sure they understand what the plugin does in the background.
Discussing a wide range of topics impacting enterprises and
data center security.