FIrefox is the most insecure browser?

[tclfan]

From perspective of the above browser security topic, I would like to ask for your opinion: Which browser would you recommend for TC, to be used for online banking? I have a feeling banking sites do not require javascript, flash, etc... The objective would be to maximize security of sensitive information.

[bmarkus]

From perspective of the above browser security topic, I would like to ask for your opinion: Which browser would you recommend for TC, to be used for online banking? I have a feeling banking sites do not require javascript, flash, etc... The objective would be to maximize security of sensitive information.

I do not see browser a main risk factor to be honest. Security is a more complex issue and this question do not have to much sense, sorry.

[jpeters]

From perspective of the above browser security topic, I would like to ask for your opinion: Which browser would you recommend for TC, to be used for online banking? I have a feeling banking sites do not require javascript, flash, etc... The objective would be to maximize security of sensitive information.

A lot has to do with measures taken by the site itself.  For instance, some sites no longer allow entering of passwords via the keyboard. 

[bmarkus]

And the user itself is one of the most risky element in the system.

[tclfan]

And the user itself is one of the most risky element in the system.

This is true - in general browsing on the internet and other user habits that compromise security...
However my question was more focused and browser specific to levelset across browsers:
Given the base system of TC, which browser would you consider the most secure for online banking? This is to eliminate the factor of general Internet browsing. User browsing habits are in this measurement taken out of the picture, because in online banking every user needs to act the same, e.g. enter userid and password, pay bills, etc. Taking user habits out of the equation we have a better measurement of browser security, don't we?
To narrow down this question, let us say fresh reboot TC, start browser and start online banking. In such context, is there any added security value of browsers without javascript, etc...? As stressed in the thread, these added functions compromise safety of even most secure browsers, whether by design or by obscurity...

[JoXo009]

And the user itself is one of the most risky element in the system.

Yes and no.

Yes, in terms of 'safer-unsafer' it is the user. A user unaware of the 1,000 different security risks may be 99% unsafe wheras a skilled user may be 1% unsafe only.

But in terms of 'how to eleminate 99% of these 1,000 different risks alltogether' it's not the user, it's always the system. And succeeding in this category would create security for the unskilled user too.


So let's talk about this system security and about the main problem, insecurty coming through the web.

How about putting the web into a sandbox, just by using a virtual machine.

Deleting all network connections of the host machine - browsing etc only from within the virtual machine.

And using two virtual machines - one for crazy browsing, one strictly for banking only.

For instance, ... entering of passwords via the keyboard.  

I think, even a keylogger - working in the 'crazy browsing virtual machine - wouldn't be able to log keyboard input into the banking virtual machine.

As long as there is no bug chain (bug for highjacking the machine and bug for breaking out of the virtual machine) that seems technically safe.

Or do I oversee anything?


---------- edited

... let us say fresh reboot TC, start browser and start online banking.

Think, you are right. Never mind which browser using, this seems technically safe too.

And TC is ideal for that purpose.

Either by usb or as a super small system working within a virtual machine.

[tclfan]

JoXo009:
I think this is absolutely great idea. I have been using this for years, starting with VMware player and VMware provided original secure browser based on stripped Ubuntu, then creating a virtual machine xubuntu, zenwalk, etc...
Here I do not want to get into discussion which is better - VMware or VirtualBox. I am testing the VB 3.1 and I am not taking any position at this point...
I did not go as far as your idea of disabling internet connection on the host machine, though, but such idea is great if we can get away with it...
TC virtual machine should have additional value that pristine state can be automatically restored on each boot of Virtual Machine, so 'crazy' browsing would be harmful only for the current session...
On the keyloggers in VM, they would most likely not be able to reach to host keyboard or keybord in other VMs, just curious if any keylogger on the host is able to read keystrokes in VMs...

[jpeters]

Example of  a fradulent email, allegedly from the FDIC:

 You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets. You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:
   Visit FDIC website    
        Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage

[JoXo009]

Example of  a fradulent email ...  Download and open your personal ... File

Just a provacative question: Why not open it?

Naturally I wouldn't open that email - not because I fear a virus, but because I don't like to waste my time on such kind of mail. But that's another aspect.

We are talking about security and from the security point of view to my opinion it's absolutely contraproductive to seek for security on the level of human behaviour.

What's needed is a technical solution to open even fradulent email without risking the ballance of your bank account.

As explained by tclfan it's possible with a TC usb install - after plugging it off, anything is away.

And it's possible with the sandbox environment of a virtual machine - after restoring last snapshot anything is away.

It doesn't matter which browser you use, it doesn't matter if an email is faked, it doesn't matter if an infected web site has become a new drive-by attacker.

With the solutions described above you needn't to worry about, you are just safe for technical reasons.

Or did I overlook something?

[jpeters]

We are talking about security and from the security point of view to my opinion it's absolutely contraproductive to seek for security on the level of human behaviour.

What's needed is a technical solution to open even fradulent email without risking the ballance of your bank account.

Or did I overlook something?

yes, phishing

[JoXo009]

... phishing

How? Could you explain please.

Phishing is the attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication - link.

How could this attempt succeed by technical* means, if a user
1. handles all his sensitive data in a virtual machine, where he never visits other webpages and never opens emails.
2. handles his email in an email only virtual machine
3. uses a third virtual machine for web browsing and never enters real data there.
4. restores the setup snapshot, if he likes to have a clean start again.

To my opinion phishing of sensitive data isn't possible in a sandbox without such data.

------------
* Obviously there are other means too. The attacker could ring the the door bell and ask, please give me your credit card credentials. The attacker could try to convince you, to break above rules. But that's something else.

[jpeters]

* Obviously there are other means too. The attacker could ring the the door bell and ask, please give me your credit card credentials. The attacker could try to convince you, to break above rules. But that's something else.

hey...as long as you stay in your sandbox environment, this shouldn't be an issue.