ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Using Specific-Site/Single-Site browsers

Go down

Using Specific-Site/Single-Site browsers Empty Using Specific-Site/Single-Site browsers

Post by Guest 16/2/2012, 08:16

User Dermot7 posted a link at Wilders Security Forum for this article -https://blog.whitehatsec.com/a-single-site-browsers-impact-on-xss-csrf-and-clickjacking/

Forum thread: -http://www.wilderssecurity.com/showthread.php?p=2016803

In the article is mentioned single-site browsers.

User vasa1 asked if it was possible achieving single-site browsers with our regularly used browsers, such as Google Chrome, Firefox, etc. I answered such was already possible with Chromium/Google Chrome.

"C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.google.com"

In the above example, Chromium will only be allowed to connect to google.com and its sub-domains. I could also allow only to www .google.com, but not allow any sub-domains.

I'll post a practical example to make a Chromium/Google Chrome profile to only access Youtube:

"C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.youtube.com","MAP * 127.0.0.1, EXCLUDE *.ytimg.com"

To have a Chromium/Google Chrome profile for Youtube only, that's all you need. We map all domains to localhost (127.0.0.1), except youtube.com and ytimg.com and their respective sub-domains.

This is really useful to have different profiles to access e-mail accounts, bank account, etc. REALLY a secure feature!

###############

User vasa1 created the following thread, explaining how to achieve the same with Firefox: -http://www.wilderssecurity.com/showthread.php?&t=318299

I've also found other two ways, which I also mentioned at that same thread. Apparently, until 2010, Mozilla had a dedicate site-specific browser and extension. They dropped its development, though. You can still download them.

################

Internet Explorer 9 has Pinned Sites.

################

Chromium/Google Chrome also has Application Shortcuts, but using the flag --host-rules is a more elegant way of achieving it, and you still get a full browser "version". If using an Application Shortcut, you just get the browser frame, but no controls, settings, etc.

################ยด

Is anyone familiar with anything for Opera?


Last edited by m00nbl00d on 17/2/2012, 03:28; edited 2 times in total (Reason for editing : Removed hyperlink to Google)

Guest
Guest


Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by Guest 16/2/2012, 08:20

-edit-

At this link you'll be able to find many more Chromium/Chrome command line switches -http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc

Guest
Guest


Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by wat0114 16/2/2012, 09:12

Wouldn't it be possible to achieve the same with a two-way firewall, by restricting the browser to whichever remote ip address and port you wanted?

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by Guest 17/2/2012, 03:26

wat0114 wrote:Wouldn't it be possible to achieve the same with a two-way firewall, by restricting the browser to whichever remote ip address and port you wanted?

That would depend on the website, and whether or not you got more than one browser/different browser installations to access different websites.

Let's imagine that this forum has a specific IP. You can create a firewall rule to restrict the browser's communication just to that IP. But, then you cannot use the browser for nothing else. It's more problematic when IPs are constantly changing. If you got a firewall that allows to "restrict" by domain, then it makes it a lot easier. But, you'd still face the same problem: You won't be able to use the browser for anything else, other than connecting to this forum.

I'd imagine something like that is not desirable. Laughing

That leaves with two options, as far as I can think:

1. Different browsers.

Not so impossible, if you only want to have one specific browser to access one website. But, there will still be the problem of IPs constantly changing. If the firewall allows "restriction" by domain, then it's easily done, provided the user is familiar with creating firewall rules.
It's a problem if you want to create specific-site browsers for a few services. It would require you to maintain a few web browsers.

2. Different browser installations.

You could use the same browser, but by using different installations. The only possible way would be portable browsers or browsers whose contents you extract from the main installers and place in different folders.

I follow this approach, but I use Chromium which is a way to do it; it only require to decompress a zip file. Then, I have a batch file that will place it in the folder I wanted, separated by profiles. But, I do it to have different integrity levels applied to them. Not for site-specific browsers.

This is also something that most wouldn't want to follow. Twisted Evil And again, there's still the problem with IPs contantly changing. Unless the firewall allows "restriction" by domain.

So, those other methods for Google Chrome/Chromium and Firefox make it a lot easier and more convenient. With Chromium/Chrome you actually only need different shortcuts. I don't even think you'd need different profiles. Unless you prefer a cleaner way, and would instead like to have different profiles, so that you can also apply different settings and options.

Guest
Guest


Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by wat0114 17/2/2012, 05:57

Oh, okay, but taken from the first post in that thread:

A Single-Site Browser (SSB) is a highly restricted Web browser only capable of connecting to a single website. A “website” can be defined as a white-listed collection of one or more hostnames, IP addresses, ports, and protocols.

This can still be achieved with a two-way firewall, although I do appreciate the difficulties as mentioned if the ip address(es) change. I don't know how often this happens with a typical website, especially a banking or similar site, but if it isn't often, then this approach could, I think, be a viable option. You mention:
You can create a firewall rule to restrict the browser's communication just to that IP. But, then you cannot use the browser for nothing else.
scratch but as the name implies - SSB or single site browser - isn't the intent to use it for only the single site or a small collection of sites??

Could it not be possible to have, say, two installations of Firefox, if this was one's favourite browser Wink , in different directories, and simply use the firewall to restrict the one installation to an SSB and keep the other one for full web access use? Thanks!

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by Guest 17/2/2012, 08:40

wat0114 wrote:[...]
This can still be achieved with a two-way firewall, although I do appreciate the difficulties as mentioned if the ip address(es) change. I don't know how often this happens with a typical website, especially a banking or similar site, but if it isn't often, then this approach could, I think, be a viable option. You mention:
You can create a firewall rule to restrict the browser's communication just to that IP. But, then you cannot use the browser for nothing else.
scratch but as the name implies - SSB or single site browser - isn't the intent to use it for only the single site or a small collection of sites??

Oh, yeah you can use a firewall just fine, if we're dealing with a bank and that stuff. IPs that won't change that often. I just pointed that if you want more control, and have more SSBs, say to access only Youtube, only Virus Total (I'm that freakish! LOL), then it can of Youtube is a bit more tricky, because IPs change often. Maybe not an impossible task (far from it), but a lot easier using --host-rules flag. lol

Yes, SSBs is meant to access just one site, but that implies you'd have to have, as I pointed, multiple browsers or multiple "installations" of the same browser. I got ~600MB in my Chromium folder. lol Otherwise, if you do it with just one browser, doing with a firewall will require you constantly adapt the firewall rules. Again, not impossible to do it this way, it would just require more work and patience. lol


Could it not be possible to have, say, two installations of Firefox, if this was one's favourite browser Wink , in different directories, and simply use the firewall to restrict the one installation to an SSB and keep the other one for full web access use? Thanks!

YES!!! That's what I tried to say. Sorry if I confused you with my explanation approach! Laughing

Guest
Guest


Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by Guest 17/2/2012, 08:44

For instance, I'd imagine that it would be a daunting task to follow this firewall approach for my Chromium profiles that I use to access Gmail and Hotmail, respectively. I imagine the IPs change a lot. They don't exactly advertise their IP ranges. Shocked

So, it's just a lot easier to make use of the flag --host-rules. As it would be a lot easier to follow Vasa1 method for Firefox, for such situations.

Guest
Guest


Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by wat0114 17/2/2012, 08:52

Excellent! All understood now Smile I see the benefits to using the SSB approach. I guess I'm just a bit old school and can't grasp the bleeding edge developments too well Laughing

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by Guest 17/2/2012, 09:01

wat0114 wrote:Excellent! All understood now Smile I see the benefits to using the SSB approach. I guess I'm just a bit old school and can't grasp the bleeding edge developments too well Laughing

cheers Wink

Guest
Guest


Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by Guest 19/2/2012, 05:10

Have you tried the Firefox addon approach? The same goes to everyone else. Wink Or even the flag --host-rules, if you're a Google Chrome/Chromium user.

I'd imagine this flag and many others to also work with other Chromium based browsers, such as COMODO Dragon, by the way.

In a few hours, I'll be switching user accounts to check my e-mail, and I'll copy my entries for both Gmail and Hotmail. Maybe someone will be interested.

If you got any other services, which you'll be using this SSB approach, if entries for services you can share information, I think everyone would benefit from it, without having to hunt down every possible one.

I previously mentioned my Chromium Youtube profile. You may need to allow more, in case you also sign in to Youtube. I only watch videos, and to watch them, this is all it takes:

Code:

"C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.youtube.com","MAP * 127.0.0.1, EXCLUDE *.ytimg.com"

For Virus Total service, I got the following:

Code:

--host-rules="MAP * 127.0.0.1, EXCLUDE *.virustotal.com","MAP * 127.0.0.1, EXCLUDE www.google.com","MAP * 127.0.0.1, EXCLUDE ajax.googleapis.com","MAP * 127.0.0.1, EXCLUDE charts.googleapis.com"

That's all I needed to allow. And again, you may need to allow more, if you also login to Virus Total. But, if all you want to do is check files with VT and nothing else, then that's all that is needed.

Guest
Guest


Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by Guest 19/2/2012, 05:13

- Edit -

For the Virus Total Chromium/Chrome profile, you may replace

Code:

"MAP * 127.0.0.1, EXCLUDE ajax.googleapis.com","MAP * 127.0.0.1, EXCLUDE charts.googleapis.com"

with

Code:

"MAP * 127.0.0.1, EXCLUDE *.googleapis.com"

In fact, I am going to change it in mine to reflect the second way, as well. It's cleaner this way.

Guest
Guest


Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by wat0114 19/2/2012, 08:50

m00nbl00d wrote:Have you tried the Firefox addon approach? The same goes to everyone else. Wink Or even the flag --host-rules, if you're a Google Chrome/Chromium user.

No, I really have no interest in going this route for security purposes or otherwise Smile

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by Guest 24/2/2012, 01:03

wat0114 wrote:
m00nbl00d wrote:Have you tried the Firefox addon approach? The same goes to everyone else. Wink Or even the flag --host-rules, if you're a Google Chrome/Chromium user.

No, I really have no interest in going this route for security purposes or otherwise Smile

I've actually added a few more. Laughing A few forums, including this one... Unfortunately, it's no longer possible to use the flag --no-referrers with Chromium; at least, judging by the chrome_switches.cc file, at Chromium website. So, I had to install ScriptNo extension. But, I dislike having extension loaded in services where I enter credentials, which is why I create a few site-specific Chromium browsers for forums.

Guest
Guest


Back to top Go down

Using Specific-Site/Single-Site browsers Empty Re: Using Specific-Site/Single-Site browsers

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum