Talk:Browser security
This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||
|
Article POV
[edit]This article appears to be a poorly disguished attempt to promote software like Noscript and take shots a Google Chrome for not making APIs available for Noscript to work. Weighting doees not mirror the various browers share of the market, nor reflect the other security options available to protect browsers. I've addressed some of the concerns, but there's more before that tag can be removed. Socrates2008 (Talk) 10:25, 24 March 2012 (UTC)
- Do you even understand the meaning of Wikipedia:Assume Good Faith at all? Did you not notice that I deliberately added that all browsers have security issues in the lead of it too?
- I agree that security issues on all browsers should be covered, but I haven't done enough research into other browsers - The solution here is WP:SOFIXIT and write about what you know about the other browsers, not to remove the content that there *is* --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:38, 24 March 2012 (UTC)
- I do. And I urge you to stop reverting my WP:AGF attempts to clean up this article and instead raise your concerns here. Also, if you remove the POV tag again without consensus here, I shall seek admin intervention. Socrates2008 (Talk) 10:43, 24 March 2012 (UTC)
- I already have, and it's like you're deliberately trying to avoid a discussion... I already suggested what seems to be the best thing to do, and you didn't even reply to it - why? It's really really simple, if you think an article is "weighted" in having too much coverage for one browser, *add more about the other browsers*, WP:SOFIXIT, don't delete the content there is, bearing in mind it's a short article... Like I said, WP:AGF, the reason there's less coverage of other articles is because no one's wrote about it yet. If that's what you are angry about, why not add bits about the other browsers? --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:48, 24 March 2012 (UTC)
- I do. And I urge you to stop reverting my WP:AGF attempts to clean up this article and instead raise your concerns here. Also, if you remove the POV tag again without consensus here, I shall seek admin intervention. Socrates2008 (Talk) 10:43, 24 March 2012 (UTC)
- There's only seven links, and you've tagged it as 'excessive and inappropriate', what is the reason? --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:49, 24 March 2012 (UTC)
- I see you reverted again without discussion, this time saying it's because the source is a "blog" and to look at the policy - have you, though, recently? Because it says there that there shouldn't be "Links to blogs, personal web pages and most fansites, except those written by a recognized authority. (This exception for blogs, etc., controlled by recognized authorities is meant to be very limited; as a minimum standard, recognized authorities always meet Wikipedia's notability criteria for people.)" (which then links to WP:V for the recognized authorities bit, which says: "Self-published expert sources may be considered reliable when produced by an established expert on the topic of the article whose work in the relevant field has previously been published by reliable third-party publications", which would be an accurate description of the people I quoted. The medium written on doesn't matter so much when someone is notable and it's verifiably written by them, it's no different than if they published it on their home page or a forum page on their site --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:57, 24 March 2012 (UTC)
- Some of the external links are already linked in the article, therefore inappropriate to link again. There are several links to Mozilla webite when one will do. Links need to comply with the policy lest they suggest that WP is endorsing them. If a link is really that that important to the article, then write a paragraph about it to put it in content and add a reference Socrates2008 (Talk) 11:01, 24 March 2012 (UTC)
- Wikipedia policy is created by people much smarter than you or me - unfortunately there's no room for individual editors to selectively override a core policy like WP:RELY when they see fit.Socrates2008 (Talk) 11:01, 24 March 2012 (UTC)
- Wikipedia:Ignore all rules actually directly contradicts you there, when it makes sense it's perfectly reasonable to override rules - WP:5P - Anyone can write policies depending on who is around at the time, they are actually written often by children, check out Essjay. Policies aren't like some kind of infallible bible.
- But that's not the real point, I just wanted to point that comment you said there is very, very wrong - what is the point is that they are within the policy, I explained why, and you don't even address that. The whole point of external links is relevant ones on the topic, they don't only have to be references depending on whether it's a site that you WP:IDONTLIKEIT... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 11:13, 24 March 2012 (UTC)
- See next section for EL comments. No, policies may not be arbitrarily overriden, particularly over such a core issue as referencing. And with respect, if you're suggesting that WP is run by children, then I'm both surprised and disappointed, as you appear to have an established edit history here. Socrates2008 (Talk) 11:35, 24 March 2012 (UTC)
- I see you reverted again without discussion, this time saying it's because the source is a "blog" and to look at the policy - have you, though, recently? Because it says there that there shouldn't be "Links to blogs, personal web pages and most fansites, except those written by a recognized authority. (This exception for blogs, etc., controlled by recognized authorities is meant to be very limited; as a minimum standard, recognized authorities always meet Wikipedia's notability criteria for people.)" (which then links to WP:V for the recognized authorities bit, which says: "Self-published expert sources may be considered reliable when produced by an established expert on the topic of the article whose work in the relevant field has previously been published by reliable third-party publications", which would be an accurate description of the people I quoted. The medium written on doesn't matter so much when someone is notable and it's verifiably written by them, it's no different than if they published it on their home page or a forum page on their site --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:57, 24 March 2012 (UTC)
- There's only seven links, and you've tagged it as 'excessive and inappropriate', what is the reason? --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 10:49, 24 March 2012 (UTC)
Issues with external links
[edit]- Why is duckduckgo.com mention in the "See also" as well as the "External links section"? What's the heavy weighting, and what's the relevance to the article? Very simply, why should this not be considered as spam?
- DuckDuckGo (like Ixquick) is only one of two rare search engines that have full security for browsers in that they do not engage in web analytics or collecting personal information for behavioral marketing. As for calling me a spammer again, do you really think either of those sites would encourage links to each other in any way given that they are competitors? Again, you need to WP:AGF, I only posted that stuff because I cared about trying to help people in general, as broken as Wikipedia is, there should at least be something on this even if it inevitably gets destroyed by people wanting to push a point... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 11:38, 24 March 2012 (UTC)
- This has absolutely nothing to do with AGF. You need to explain in the article what the relevance is as it's not obvious - and the double linking just makes it look like spam. (This may help to explain what I mean.)
- Mozilla.org is linked 3 times - why the prominence? NoScript and Adblock are both already internally linked in the article text (WP prefers internal links to external links)
- Mozilla.org is not linked 3 times, you know that, it's not even linked once. Linking to pages about completely different subjects that happen to be on the same site is not the same. Especially when the other subjects (such as NoScript/AdBlock/BetterPrivacy/Flashblock aren't even owned by said website either... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 11:38, 24 March 2012 (UTC)
- AdBlock & NoScript are already internally linked in the article, and therefore do not comply with WP:EL. Linking them again in this section is also giving them undue prominence.
- What is the relevance of aolstalker.com to the article? Without any context, it looks like spam. Ditto for ixquick.com
- "the only third-party certified search engine in the world that does not record your IP address or track your searches" is unreferenced and appears like an endorsement from Wikipedia.Socrates2008 (Talk) 11:24, 24 March 2012 (UTC)
- The AOL search data leak was made possible by search engines that collect and catalogue large amounts of personal data like AOL did, and Google does - it's very relevant. As for why Ixquick is there, again it's like DuckDuckGo in that it is only one of two rare search engines that have full security for browsers in that they do not engage in web analytics or collecting personal information for behavioral marketing... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 11:38, 24 March 2012 (UTC)
- The relevance is not obvious at all. If you think it's that important, then write a section on it, explaining why it's relevant and adding a reliable reference that supports this.
Referencing
[edit][1] is an advertisement, and therefore fails WP:RELY. Socrates2008 (Talk) 11:44, 24 March 2012 (UTC)
- No that is not an "advertisement", that is the official page... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 11:45, 24 March 2012 (UTC)
- ...where the software is being promoted. Promotional material does not meet WP:RELY - if you find an independent source, it will carry much more weight, and won't raise any eyebrows about bias. Socrates2008 (Talk) 11:55, 24 March 2012 (UTC)
- It is an independent page though, Adblock Plus is not owned nor officially endorsed Mozilla Foundation in the same way that something on Google isn't owned by them... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 12:00, 24 March 2012 (UTC)
- The text on the Mozilla site is submitted by the software author in order to promote his product. Find an independent reference, and no-one will doubt it. Socrates2008 (Talk) 12:05, 24 March 2012 (UTC)
- It is an independent page though, Adblock Plus is not owned nor officially endorsed Mozilla Foundation in the same way that something on Google isn't owned by them... --Mistress Selina Kyle (Α⇔Ω ¦ ⇒✉) 12:00, 24 March 2012 (UTC)
- ...where the software is being promoted. Promotional material does not meet WP:RELY - if you find an independent source, it will carry much more weight, and won't raise any eyebrows about bias. Socrates2008 (Talk) 11:55, 24 March 2012 (UTC)
[2] is a vendor page that primarily exists to sell a particular product, and therefore fails WP:RELY.JoeIT (talk) 14:19, 1 January 2019 (UTC)
Suggestions for article improvement
[edit]- Cover security issues in browsers other than Firefox. For example browser helper objects in IE
- Privacy issues are a whole subject on their own - tracking cookies, including mechanisms around countermeasures, like using Flash cookies or making people authenticate.
- Using the principle of least privilege (not browsing the web as an admin).
- User account control and Protected Mode
- Some people believe that security issues in browser plugins like Adobe Flash, Reader & Java are now a bigger issue than those in the browsers themselves
- Security update mechanisms in different browsers
- Issues with rogue access points and other man-in-the-middle attacks
- DNS hijacking
- Session cookies have a whole host of issues
- Certificate issues; 40bit security
- Vulnerabilites in the SSL protocol
- Keyloggers
- Scareware popups
Socrates2008 (Talk) 12:37, 24 March 2012 (UTC)
- Remote Browsing: An examination of the newly emerging strategy of complete hardware separation between the browser and the user's machine (browsing remotely while maintaining a functional user interface is currently being developed by Spikes, www.spikes.com). It is a technology that is now becoming functional, but I am not impartial (work for Spikes) so I will just suggest that the article be edited to mention this, previously dismissed, approach to browser security. (Spikes is currently in talks with the White House task force on cybersecurity to have remote browsing added to the technologies under consideration for future recommendations, so it may soon begin replacing sandboxing).
Alxfarr (Talk) 5 June 2013
external links
[edit]I removed a number of external links to search engines. While I'm sure its useful for people to know about search engines that have good privacy policies, this is not the article where they should be linked, as whether a search engine records your searches has about zero to do with which browser you are using - Internet privacy would be more appropriate place for such links. I've kept for now the links to AdBlock/NoScript etc, but the section on these needs to be trimmed down, there is too much detail on why a particular developer of a particular piece of software isn't putting that software inside a particular browser. If you like, I could do this, but want to give MSK a chance first. Additionally, it would be great, as Socrates2008 suggests, to cover some of the other browser security issues, rather than focusing so much space on one or two scripts for Firefox. I think this is an important article, so glad there is attention being paid, but it should focus on the issues particular to browsers, and not to more generic internet exploits or generic privacy issues. --Karl.brown (talk) 23:53, 24 March 2012 (UTC)
rewrite
[edit]This is my suggestion for a rewrite. Many of the points mentioned in the article presented a limited view of browser security. This should address most of the mentioned issues. You all will need to find additional supporting references.
Browser security is the application of Application security to web browsers to protect computer systems (and potentially networks) from harm or breaches of privacy. Browser security Browser exploit often use Mobile code technologies such as JavaScript, ActiveX, Java, or they may compromise the browser itself ref-http://www.cert.org/tech_tips/securing_browser/#features
Description
[edit]Breaches of browser security are usually for the purpose of bypassing protections to install Malware. As computer operating systems security has been increased, attackers have had to resort to attacking the programs running on the PC's. Most often, the only service available to a remote attacker is the browser. In drive by download attacks, malicious code is uploaded to a compromised (but legitimate) website, or displayed via an advertisement. In addition, the attacker may host the code on a dedicated web server of their own. In some cases, malicious code on the webserver automatically runs and exploits a vulnerability in the web browser itself, or in plugins running within the browser. In other cases, a user is deceived into executing the code. After successful exploitation of the initial attack, the attacker may establish further, more permanent access to the system, generally by either pivoting services, or by downloading additional software to retain access.
Prevention
[edit]Whilst many vulnerabilities are in the software itself and can only be prevented via keeping browser software updated with patches, ref-http://itsecurity.vermont.gov/threats/web_attacks some subcomponents of browsers such as scripting, add-ons and cookies are particularly vulnerable to attack and also need to be addressed. The US National Security Agency recommends using a web browser with sandboxing capabilities, which will contain most of the effects of exploitation to the browser itself. If using a web browser with a PDF plugin, either disable this component if not needed, or insure that the PDF runs in protected mode. The NSA also recommends disabling scripting within the browser (though this may limit functionality in many websites) by using add-ons such as NoScript(Firefox), NotScript(Chrome), or Internet Options(IE).ref-http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf In addition, individuals may want to block advertisements to prevent malicious ads from being displayed. Most browsers have some form of adblocking technology or add in.
-- Sephiroth storm (talk) 15:45, 27 March 2012 (UTC)
Rewrite - broadening scope
[edit]I rewrote hopefully broadening the scope of this article covering the issues above. It is a bit rough for now, and needs polishing. Widefox (talk) 14:55, 11 April 2012 (UTC)
External links modified
[edit]Hello fellow Wikipedians,
I have just modified one external link on Browser security. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
- Added archive https://web.archive.org/web/20090520070700/http://www.pcworld.com:80/article/155854/opera_plugs_severe_browser_hole.html to http://www.pcworld.com/article/155854/opera_plugs_severe_browser_hole.html
When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}
).
This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}}
(last update: 5 June 2024).
- If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
- If you found an error with any archives or the URLs themselves, you can fix them with this tool.
Cheers.—InternetArchiveBot (Report bug) 14:16, 9 November 2016 (UTC)
External links modified
[edit]Hello fellow Wikipedians,
I have just modified 2 external links on Browser security. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
- Added archive https://web.archive.org/web/20130613235658/http://oreilly.com/catalog/httppr/chapter/http_pkt.html to http://oreilly.com/catalog/httppr/chapter/http_pkt.html
- Added archive https://web.archive.org/web/20120213180056/http://itsecurity.vermont.gov/threats/web_attacks to http://itsecurity.vermont.gov/threats/web_attacks
When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.
This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}}
(last update: 5 June 2024).
- If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
- If you found an error with any archives or the URLs themselves, you can fix them with this tool.
Cheers.—InternetArchiveBot (Report bug) 16:26, 26 July 2017 (UTC)