1. Seminar On
Browser Security
Submitted to:
Dr. S.R.Sirsat Sir
(Head of department)
(Department of Computer Science)
Prof .A.V. Borde Mam
(Asst. Prof)
(Department Of Computer Science)
Submitted By :
Pratimesh Umesh Pathak
Bsc IIIrd Year
Jijamata Mahavidyalaya Buldana
2. Preface
I have made this presentation file on the topic COMPUTER
Browser Security . I have tried my best to present all the details
information about security in browser .In the beginning I have tried to
give you general information on this topic.
I express my sincere gratitude to Dr.S.R.Sirsat sir
Prof. A.V. Borde Mam who assisting me throughout the preparation of
this topic. I thank him for providing me the confidence performing act
and most importantly the track of the topic whenever I needed it.
3. Content:
• Introduction.
• Browser security topics.
• Plug-in and extensions.
• Preserving web privacy.
• Crowds.
• Security Risks.
• Port access restrictions.
• Verifier.
• Type Safety.
• Security Manager.
• Summary: Browser security.
4. Introduction :
Browser security is the application of Internet security to
web browsers in order to protect network data and computer systems
from breaking of privacy or malware.
The web browser is the primary vector by which malware is
introduced to computers. The web browser is the primary vector by
which malware is introduced to computers. Links in phishing emails,
compromised web sites, and Trojan zed “free” software downloads
all deliver malware via web browser downloads
6. Plug-in and extensions.
Browser plug-in and extensions extend the attack surface, exposing
vulnerabilities in Adobe Flash Player, Adobe (Acrobat) Reader, Java plug-in,
and ActiveX that are commonly exploited.
Malware may also be implemented as a browser extension, such as
a browser helper object in the case of Internet Explorer. Browsers like Google
Chrome and Mozilla Firefox can block—or warn users of—insecure plug-in.
7. Preserving web privacy
Your IP address may be visible to web sites.
This may reveal your employer, ISP, etc.
Can link activities on different sites, different times.
Some mechanisms exist to keep sites from learning information about you.
Anonymizer
o Single site that hides origin of web request
Crowds
o Crowds is a proposed anonymity network for anonymous web
browsing.
8. Crowds.
Sender randomly chooses a path through the crowd
Some routers are honest, some corrupt
After receiving a message, honest router flips a coin
• With probability Pf routes to the next member on the path
• With probability 1- Pf sends directly to the recipient
C
C
C
C0
sender
C1
C
C
C
C
C2
1-pf
pf
C3 C4
recipient
C
9. Security Risks :
Annoyance or inconvenience
o Display large window that ignores mouse input
o Play irritating sound and do not stop
o Consume CPU cycles, memory, network bandwidth …
Export confidential information
o Communication is generally possible
o Prevent access to password file, credit card number, …
o Subtle attack: trick dialog boxes ...
Modify or compromise system
o Delete files, call system functions
10. Port access restrictions :
URL structure technically permits an arbitrary, non-standard TCP port to
be specified for any request. Unfortunately, this permitted attackers to trick
browsers into meaningfully interacting with network services that do not really
understand HTTP . Because of this, a rather arbitrary subset of ports belonging to
common network services is in modern days blocked.
Browser Blocked Ports
Firefox, Safari, Opera, Chrome,
Android
(tcpmux), (echo), (discard),
(systat), (uucp), etc.
Explorer , maxthon. (chargen), (ftp), (smtp), (pop3),
(nntp), (imap2), (imap3), (ssl
imap3)
11. Verifier :
Byte code may not come from standard compiler.
Harmful hacker may write dangerous byte code .
Verifier checks correctness of byte code.
o Every instruction must have a valid operation code.
o Every branch instruction must branch to the start of some
other instruction, not middle of instruction .
o Every method must have a structurally correct signature.
12. Type Safety:
Load-time type checking.
Run-time type checking.
o All casts are checked to make sure type safe.
o All array references are checked to be within bounds.
o References are tested to be not null before dereference.
Additional features.
o Automatic garbage collection.
o NO pointer arithmetic.
13. Security Manager :
Java library functions call security manager.
Security manager object answers at run time.
Decide if calling code is allowed to do operation.
Examine protection domain of calling class.
• Signer: organization that signed code before loading.
• Location: URL where the Java classes came from.
Uses the system policy to decide access permission
14. Summary: Browser security :
Browser uses network and local disk.
o Potential for outside access to local data.
Brower interprets code from network
o HTML, JavaScript, ActiveX, Java.
Browser installs, executes plug-ins.
o Acrobat, Shockwave .
Malicious code can pose risks.
o Consume resources, Steal information, Compromise system