Securing your home banking session

A while ago, I started this thread at ssj100 Security Forums: https://ssj100.forumotion.com/t427-windows-vista-windows-7-sandboxie-integrity-levels

In that same thread, I mentioned something about Google Chrome/Chromium web browser command-line switch --host-rules.

Moments ago, after reading something at Wilders Security Forum, where someone asking what alternative would there be to protect against XSS attacks, without extensions, I decided to test something with --host-rules, which I know could be done for the loopback (IPv4/IPv6).

This is the part of post that matters (I've changed the forum name, for the example):

m00nbl00d wrote:
2. If you don't like the firewall approach, I'd use either Google Chrome or Chromium web browsers, and make use of the command-line switch --host-rules.

Imagine that you want to restrict communications to ssj100 Security Forums. I'll give an example with Chromium being in Program Files directory.

"C:\Program Files\Chromium\Chromium - ssj100 Session\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE ssj100.forumotion.com"

What the above command does is map every communication to the loopback (127.0.0.1, which is your own system), except ssj100.forumotion.com. So, only communication to ssj100 Security Forum is allowed. If there were any other sub-domains, then you could either add the following:

m00nbl00d wrote:
"C:\Program Files\Chromium\Chromium - ssj100 Session\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE ssj100.forumotion.com","MAP * 127.0.0.1, EXCLUDE somedomain.fullsubject.com"

or

"C:\Program Files\Chromium\Chromium - ssj100 Session\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE *.fullsubject.com"

This last example would allow communication to fullsubject.com and any of its sub-domains.

######################

Besides what I quoted of myself above, you can also restrict the IP address of the forum (in my example) and the port (80 in my example, which for procotol http):

m00nbl00d wrote:
"C:\Program Files\Chromium\Chromium - ssj100 Session\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE ssj100.forumotion.com","MAP ssj100.forumotion.com 67.228.47.103:80"

67.228.47.103 - current ssj100.forumotion.com IP address. 80 - remote port (protocol http).

Note: You can achieve the same with a firewall, of course. But, following this approach, you can do it for other people who can't handle outbound protection. Also, without having to resort to extensions/add-ons.

Looks interesting. Might be a silly question, but can the same thing be done with Firefox?

ssj100 wrote:Looks interesting. Might be a silly question, but can the same thing be done with Firefox?

Well, you could use a firewall, as I mentioned. Other than that, I don't know if you can achieve the same granularity with Firefox using an extension. I don't think Firefox itself allows you to apply that kind of restriction.

You could try and see if what user vasa1 mentions at WSF could allow that kind of restriction -http://www.wilderssecurity.com/showthread.php?&t=318299 (I don't know if it would allow you to achieve this kind of control, though.)

You'd still be relying on an extension, though. The nice thing of the Google Chrome/Chromium approach is that, you'd be using own methods.

I've created a different profile for a relative of mine following this approach.

Considering that outbound firewall control would be hard to deal with, this really comes in hand.