Educause Security Discussion mailing list archives
Re: web browser security zones
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 11 Jan 2006 13:04:16 -0500
Kevin Shalla wrote:
This prompts me to ask about web browser security zones. Does anyone make substantial changes to the default IE security zone security?
Not at an organizational level. I do but I can't get very many others to. :) I don't use IE unless everything is disabled except for trusted sites. My day to day browser is Mozilla though sometimes IE is necessary. I run Mozilla with scripting and java turned off too and have been running that way for years. How
effective is this?
Very effective but not convenient or efficient. Too many extra clicks, particularly for "random web browsing" (though this is where its most important). It would be a hard sell to those who value convenience and efficiency over security unless it gets a lot easier (and universal) for browsers to be configured for trusted sites ( or events degrade even further on the Internet ). Then its effectiveness will depend on the operators' decision making abilities about what sites to trust which is similar to decisions about what email attachments, links, and firewall blocked programs to trust. We make a few changes (adding certain sites to the
trusted sites and granting certain extra access in that zone), but not much.
All of our centralized changes, to my knowledge, concern credential and page caching and adding some often used favorites. Do other browsers have such detailed settings by security zone?
It appears that Firefox has very little granularity (just load images and popups) in the security setup.
The January 2006 issue of Information Security has an article comparing the security features of IE 7, Firefox, and Netscape concluding "IE 7.0, at least for the near term, presents a solution that will help secure the desktop's browsing environment better than the ompetition". I don't know about Safari, Opera, and others. I've seem at least one plug-in for Mozilla and Firefox but I'm not a fan of third party plug-ins any more than I'm a fan of third party Active-X controls. I need to take a closer look though. I think the plug-ins are based on Mozilla's Configurable Security Policy capabilities which may have promise: http://www.mozilla.org/projects/security/components/ConfigPolicy.html I don't see the ability to wildcard domains (e.g. *.jmu.edu) though. With today's browsers and web site practices, I'm convinced at this point that a more effective and practical risk reduction measure for the general populace would be to use a non-administrative account. At least until the malware authors catch on. Even then, it would prevent more invasive compromises such as rootkits. I'm stressing that action over browser reconfigurations here. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- web browser security zones Kevin Shalla (Jan 11)
- <Possible follow-ups>
- Re: web browser security zones Valdis Kletnieks (Jan 11)
- Re: web browser security zones Gary Flynn (Jan 11)
- Re: web browser security zones Gary Dobbins (Jan 11)
- Re: web browser security zones Gary Flynn (Jan 11)