Using Specific-Site/Single-Site browsers
Page 1 of 1
Using Specific-Site/Single-Site browsers
User Dermot7 posted a link at Wilders Security Forum for this article -https://blog.whitehatsec.com/a-single-site-browsers-impact-on-xss-csrf-and-clickjacking/
Forum thread: -http://www.wilderssecurity.com/showthread.php?p=2016803
In the article is mentioned single-site browsers.
User vasa1 asked if it was possible achieving single-site browsers with our regularly used browsers, such as Google Chrome, Firefox, etc. I answered such was already possible with Chromium/Google Chrome.
"C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.google.com"
In the above example, Chromium will only be allowed to connect to google.com and its sub-domains. I could also allow only to www .google.com, but not allow any sub-domains.
I'll post a practical example to make a Chromium/Google Chrome profile to only access Youtube:
"C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.youtube.com","MAP * 127.0.0.1, EXCLUDE *.ytimg.com"
To have a Chromium/Google Chrome profile for Youtube only, that's all you need. We map all domains to localhost (127.0.0.1), except youtube.com and ytimg.com and their respective sub-domains.
This is really useful to have different profiles to access e-mail accounts, bank account, etc. REALLY a secure feature!
###############
User vasa1 created the following thread, explaining how to achieve the same with Firefox: -http://www.wilderssecurity.com/showthread.php?&t=318299
I've also found other two ways, which I also mentioned at that same thread. Apparently, until 2010, Mozilla had a dedicate site-specific browser and extension. They dropped its development, though. You can still download them.
################
Internet Explorer 9 has Pinned Sites.
################
Chromium/Google Chrome also has Application Shortcuts, but using the flag --host-rules is a more elegant way of achieving it, and you still get a full browser "version". If using an Application Shortcut, you just get the browser frame, but no controls, settings, etc.
################ยด
Is anyone familiar with anything for Opera?
Forum thread: -http://www.wilderssecurity.com/showthread.php?p=2016803
In the article is mentioned single-site browsers.
User vasa1 asked if it was possible achieving single-site browsers with our regularly used browsers, such as Google Chrome, Firefox, etc. I answered such was already possible with Chromium/Google Chrome.
"C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.google.com"
In the above example, Chromium will only be allowed to connect to google.com and its sub-domains. I could also allow only to www .google.com, but not allow any sub-domains.
I'll post a practical example to make a Chromium/Google Chrome profile to only access Youtube:
"C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.youtube.com","MAP * 127.0.0.1, EXCLUDE *.ytimg.com"
To have a Chromium/Google Chrome profile for Youtube only, that's all you need. We map all domains to localhost (127.0.0.1), except youtube.com and ytimg.com and their respective sub-domains.
This is really useful to have different profiles to access e-mail accounts, bank account, etc. REALLY a secure feature!
###############
User vasa1 created the following thread, explaining how to achieve the same with Firefox: -http://www.wilderssecurity.com/showthread.php?&t=318299
I've also found other two ways, which I also mentioned at that same thread. Apparently, until 2010, Mozilla had a dedicate site-specific browser and extension. They dropped its development, though. You can still download them.
################
Internet Explorer 9 has Pinned Sites.
################
Chromium/Google Chrome also has Application Shortcuts, but using the flag --host-rules is a more elegant way of achieving it, and you still get a full browser "version". If using an Application Shortcut, you just get the browser frame, but no controls, settings, etc.
################ยด
Is anyone familiar with anything for Opera?
Last edited by m00nbl00d on 17/2/2012, 03:28; edited 2 times in total (Reason for editing : Removed hyperlink to Google)
Guest- Guest
Re: Using Specific-Site/Single-Site browsers
-edit-
At this link you'll be able to find many more Chromium/Chrome command line switches -http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc
At this link you'll be able to find many more Chromium/Chrome command line switches -http://src.chromium.org/svn/trunk/src/chrome/common/chrome_switches.cc
Guest- Guest
Re: Using Specific-Site/Single-Site browsers
Wouldn't it be possible to achieve the same with a two-way firewall, by restricting the browser to whichever remote ip address and port you wanted?
wat0114- Advanced Member
- Posts : 152
Join date : 2010-05-11
Re: Using Specific-Site/Single-Site browsers
wat0114 wrote:Wouldn't it be possible to achieve the same with a two-way firewall, by restricting the browser to whichever remote ip address and port you wanted?
That would depend on the website, and whether or not you got more than one browser/different browser installations to access different websites.
Let's imagine that this forum has a specific IP. You can create a firewall rule to restrict the browser's communication just to that IP. But, then you cannot use the browser for nothing else. It's more problematic when IPs are constantly changing. If you got a firewall that allows to "restrict" by domain, then it makes it a lot easier. But, you'd still face the same problem: You won't be able to use the browser for anything else, other than connecting to this forum.
I'd imagine something like that is not desirable.
That leaves with two options, as far as I can think:
1. Different browsers.
Not so impossible, if you only want to have one specific browser to access one website. But, there will still be the problem of IPs constantly changing. If the firewall allows "restriction" by domain, then it's easily done, provided the user is familiar with creating firewall rules.
It's a problem if you want to create specific-site browsers for a few services. It would require you to maintain a few web browsers.
2. Different browser installations.
You could use the same browser, but by using different installations. The only possible way would be portable browsers or browsers whose contents you extract from the main installers and place in different folders.
I follow this approach, but I use Chromium which is a way to do it; it only require to decompress a zip file. Then, I have a batch file that will place it in the folder I wanted, separated by profiles. But, I do it to have different integrity levels applied to them. Not for site-specific browsers.
This is also something that most wouldn't want to follow. And again, there's still the problem with IPs contantly changing. Unless the firewall allows "restriction" by domain.
So, those other methods for Google Chrome/Chromium and Firefox make it a lot easier and more convenient. With Chromium/Chrome you actually only need different shortcuts. I don't even think you'd need different profiles. Unless you prefer a cleaner way, and would instead like to have different profiles, so that you can also apply different settings and options.
Guest- Guest
Re: Using Specific-Site/Single-Site browsers
Oh, okay, but taken from the first post in that thread:
This can still be achieved with a two-way firewall, although I do appreciate the difficulties as mentioned if the ip address(es) change. I don't know how often this happens with a typical website, especially a banking or similar site, but if it isn't often, then this approach could, I think, be a viable option. You mention:
Could it not be possible to have, say, two installations of Firefox, if this was one's favourite browser , in different directories, and simply use the firewall to restrict the one installation to an SSB and keep the other one for full web access use? Thanks!
A Single-Site Browser (SSB) is a highly restricted Web browser only capable of connecting to a single website. A “website” can be defined as a white-listed collection of one or more hostnames, IP addresses, ports, and protocols.
This can still be achieved with a two-way firewall, although I do appreciate the difficulties as mentioned if the ip address(es) change. I don't know how often this happens with a typical website, especially a banking or similar site, but if it isn't often, then this approach could, I think, be a viable option. You mention:
but as the name implies - SSB or single site browser - isn't the intent to use it for only the single site or a small collection of sites??You can create a firewall rule to restrict the browser's communication just to that IP. But, then you cannot use the browser for nothing else.
Could it not be possible to have, say, two installations of Firefox, if this was one's favourite browser , in different directories, and simply use the firewall to restrict the one installation to an SSB and keep the other one for full web access use? Thanks!
wat0114- Advanced Member
- Posts : 152
Join date : 2010-05-11
Re: Using Specific-Site/Single-Site browsers
wat0114 wrote:[...]
This can still be achieved with a two-way firewall, although I do appreciate the difficulties as mentioned if the ip address(es) change. I don't know how often this happens with a typical website, especially a banking or similar site, but if it isn't often, then this approach could, I think, be a viable option. You mention:but as the name implies - SSB or single site browser - isn't the intent to use it for only the single site or a small collection of sites??You can create a firewall rule to restrict the browser's communication just to that IP. But, then you cannot use the browser for nothing else.
Oh, yeah you can use a firewall just fine, if we're dealing with a bank and that stuff. IPs that won't change that often. I just pointed that if you want more control, and have more SSBs, say to access only Youtube, only Virus Total (I'm that freakish! LOL), then it can of Youtube is a bit more tricky, because IPs change often. Maybe not an impossible task (far from it), but a lot easier using --host-rules flag. lol
Yes, SSBs is meant to access just one site, but that implies you'd have to have, as I pointed, multiple browsers or multiple "installations" of the same browser. I got ~600MB in my Chromium folder. lol Otherwise, if you do it with just one browser, doing with a firewall will require you constantly adapt the firewall rules. Again, not impossible to do it this way, it would just require more work and patience. lol
Could it not be possible to have, say, two installations of Firefox, if this was one's favourite browser , in different directories, and simply use the firewall to restrict the one installation to an SSB and keep the other one for full web access use? Thanks!
YES!!! That's what I tried to say. Sorry if I confused you with my explanation approach!
Guest- Guest
Re: Using Specific-Site/Single-Site browsers
For instance, I'd imagine that it would be a daunting task to follow this firewall approach for my Chromium profiles that I use to access Gmail and Hotmail, respectively. I imagine the IPs change a lot. They don't exactly advertise their IP ranges.
So, it's just a lot easier to make use of the flag --host-rules. As it would be a lot easier to follow Vasa1 method for Firefox, for such situations.
So, it's just a lot easier to make use of the flag --host-rules. As it would be a lot easier to follow Vasa1 method for Firefox, for such situations.
Guest- Guest
Re: Using Specific-Site/Single-Site browsers
Excellent! All understood now I see the benefits to using the SSB approach. I guess I'm just a bit old school and can't grasp the bleeding edge developments too well
wat0114- Advanced Member
- Posts : 152
Join date : 2010-05-11
Re: Using Specific-Site/Single-Site browsers
wat0114 wrote:Excellent! All understood now I see the benefits to using the SSB approach. I guess I'm just a bit old school and can't grasp the bleeding edge developments too well
Guest- Guest
Re: Using Specific-Site/Single-Site browsers
Have you tried the Firefox addon approach? The same goes to everyone else. Or even the flag --host-rules, if you're a Google Chrome/Chromium user.
I'd imagine this flag and many others to also work with other Chromium based browsers, such as COMODO Dragon, by the way.
In a few hours, I'll be switching user accounts to check my e-mail, and I'll copy my entries for both Gmail and Hotmail. Maybe someone will be interested.
If you got any other services, which you'll be using this SSB approach, if entries for services you can share information, I think everyone would benefit from it, without having to hunt down every possible one.
I previously mentioned my Chromium Youtube profile. You may need to allow more, in case you also sign in to Youtube. I only watch videos, and to watch them, this is all it takes:
For Virus Total service, I got the following:
That's all I needed to allow. And again, you may need to allow more, if you also login to Virus Total. But, if all you want to do is check files with VT and nothing else, then that's all that is needed.
I'd imagine this flag and many others to also work with other Chromium based browsers, such as COMODO Dragon, by the way.
In a few hours, I'll be switching user accounts to check my e-mail, and I'll copy my entries for both Gmail and Hotmail. Maybe someone will be interested.
If you got any other services, which you'll be using this SSB approach, if entries for services you can share information, I think everyone would benefit from it, without having to hunt down every possible one.
I previously mentioned my Chromium Youtube profile. You may need to allow more, in case you also sign in to Youtube. I only watch videos, and to watch them, this is all it takes:
- Code:
"C:\Program Files\Chromium\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.youtube.com","MAP * 127.0.0.1, EXCLUDE *.ytimg.com"
For Virus Total service, I got the following:
- Code:
--host-rules="MAP * 127.0.0.1, EXCLUDE *.virustotal.com","MAP * 127.0.0.1, EXCLUDE www.google.com","MAP * 127.0.0.1, EXCLUDE ajax.googleapis.com","MAP * 127.0.0.1, EXCLUDE charts.googleapis.com"
That's all I needed to allow. And again, you may need to allow more, if you also login to Virus Total. But, if all you want to do is check files with VT and nothing else, then that's all that is needed.
Guest- Guest
Re: Using Specific-Site/Single-Site browsers
- Edit -
For the Virus Total Chromium/Chrome profile, you may replace
with
In fact, I am going to change it in mine to reflect the second way, as well. It's cleaner this way.
For the Virus Total Chromium/Chrome profile, you may replace
- Code:
"MAP * 127.0.0.1, EXCLUDE ajax.googleapis.com","MAP * 127.0.0.1, EXCLUDE charts.googleapis.com"
with
- Code:
"MAP * 127.0.0.1, EXCLUDE *.googleapis.com"
In fact, I am going to change it in mine to reflect the second way, as well. It's cleaner this way.
Guest- Guest
Re: Using Specific-Site/Single-Site browsers
m00nbl00d wrote:Have you tried the Firefox addon approach? The same goes to everyone else. Or even the flag --host-rules, if you're a Google Chrome/Chromium user.
No, I really have no interest in going this route for security purposes or otherwise
wat0114- Advanced Member
- Posts : 152
Join date : 2010-05-11
Re: Using Specific-Site/Single-Site browsers
wat0114 wrote:m00nbl00d wrote:Have you tried the Firefox addon approach? The same goes to everyone else. Or even the flag --host-rules, if you're a Google Chrome/Chromium user.
No, I really have no interest in going this route for security purposes or otherwise
I've actually added a few more. A few forums, including this one... Unfortunately, it's no longer possible to use the flag --no-referrers with Chromium; at least, judging by the chrome_switches.cc file, at Chromium website. So, I had to install ScriptNo extension. But, I dislike having extension loaded in services where I enter credentials, which is why I create a few site-specific Chromium browsers for forums.
Guest- Guest
Similar topics
» Site with many security-related videos
» Cookie setting of SSJ100 ad supported site
» Password management site plugs info-leak bug
» Browsers and their Read-Only modes
» Cookie setting of SSJ100 ad supported site
» Password management site plugs info-leak bug
» Browsers and their Read-Only modes
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|