Websecurify

Regular updates about Websecurify free and premium website scanners, proxies, fuzzers and insight knowledge about SQL Injection, Cross-site Scripting and other vulnerabilities

How To Improve Your Browser Security With PanicMode

Last year we released a small but very powerful extension for Google Chrome called PanicMode. Once turned-on, PanicMode will block any outgoing traffic that is not encrypted. In other words, PanicMode guarantees that your browsing experience remains private whatever you do.

In this blog post I want to show you how you can take this concept further to create a more secure browsing experience by combining PanicMode with other features available out-of-the-box in Chrome.

User Profiles

Do you know that in Chrome you can have separate browsing sessions by using different user profiles? To configure this simply access the Chrome preferences and look under Settings -> Users. Creating a new user profile is as simple as clicking on the "Add new user" button. Alternatively you can access the little avatar icon from the top right corner of the main Chrome window and select the "New User" option.

User profiles are a very nifty feature in Chrome. By having multiple profiles you can segregate different browsing sessions based on function. For example, you may want to create a separate user profile just for social media applications, another for banking and a default profile for everything else. This not only allows you to organise your browsing habits but also it improves security.

In order to explain why security is drastically improved by having separate user profiles, imagine that we do all things from the same browser. In one tab we have Facebook or another social media website while in another we are checking our online banking or email. While browsers try to prevent some types of attacks by implementing a security mechanism called Same Origin Policies (SOP), it is still possible to use web application vulnerabilities to make an evil application from one tab to access information from an application opened in a complete different tab. What is even worse is that most times you don't even need to have any applications visibly open in tabs. All is needed is for us to login once and forget to logout.

Here is a better way to explain this situation. Imagine that we login into our webmail. We check for new emails and we close the tab or we leave it open. We do not perform any logout. Later on we navigate to an evil web site. The evil website is now in a good position to exploit a web vulnerability in our webmail and as such gain access to our emails.

User profiles enhance the Same Origin Policies (SOP) mechanism by keeping applications separate by function. In other words, if you do banking from one profile and you use it for this purpose only than the chances for getting compromised by another "evil" website, via a web attack, are slim.

Installing PanicMode

There is another aspect to your browser security that you need to consider and that is that most applications that you will access today are available over unencrypted channels. In other words, if an attacker is observing your network, they will be able to see everything that you are doing online. They will also be able to pretend to be you on web applications that you have logged in. As you can see, this is a serious concern not only from privacy but also from security point of view.

Here comes PanicMode to the rescue. Once installed and turned-on, PanicMode will revert all non-encrypted traffic to use encryption. This way you can ensure that communication that originates from your browser to your online bank are private and secure. PanicMode is quite harsh as it is completely non-bias and it doesn't try to improve your browser experience if the sites your are accessing break because they do not support encryption. Non encrypted sites will simply break and you will see the error on the screen.

This deliberate breaking of insecure websites is not convenient for everyday browsing. If you turn PanicMode on even for 2-3 minutes you will quickly realise how insecure and broken the web really is today. However, breaking insecure but critical web applications is absolutely essential if you care about your security. You simply don't want to give a chance for the application developer or your browser to make a mistake. Even the tiniest mistakes can be used against you. If I am an attacker sniffing the network typically I only need to capture one insecure/unencrypted request in order to hijack your user account. You don't want that to happen, do you? Neither do I.

PanicMode is absolutely free and it is perhaps one of the tiniest extensions in the Chrome Web Store. It is completely unobtrusive and transparent. You don't have to configure it or do anything special with it. Once installed just turn it on.

Other Uses of Profiles

User profiles can be used used for all kinds of situations. A developer may want to have a separate profile with just dev extension and relaxed security policies. That is not suitable for everyday browsing.

As a side not, don't forget to install our free web application security scanner for Google Chrome in your development profile.Corporate websites can be accessed from a completely different profile to avoid incidental leakage of sensitive data. Emails, and social media can be all available in their own profiles. You can take this concept as far as you need and install extensions such as PanicMode or Suite depending on the purpose.

pdp

Petko D. Petkov (pdp), is founder of Websecurify and frontman of the GNUCITIZEN Information Security Think Tank. pdp is a recognized information security researcher, security tools developer, penetration tester, frequent speaker at industry events, and published author who has contributed to several best-selling books in the field of information security.

Comments Powered ByDisqus