Cyber Security Awareness Month - Web Browser Security

Tutorials, Tips & Tricks
1

Cybersecurity Awareness Month - Web Browser Security (and a few opinions on privacy)

Hi everyone it’s October again. I don’t know how you all celebrate the leadup to Halloween, but generally I love cider, donuts, and candy. With that aside, I wanted to cover a few basic safety, security, and privacy things I’ve learned over a long career. This first post I’m writing for this month is going to center around high-impact things that can help keep your enterprise networks, friends, and family secure while they’re browsing the net.

Web-based Security

The best advice I can give anyone with regards to keeping yourself safe on the web is to use an adblocker. I can’t deny that there are many who make a living off of watched or clicked ads, and they will always tell you to turn off your adblocker. Unfortunately, with the threat landscape being what it is, I cannot agree with them.

I’m sure there are many of you who are familiar with cases where friends and family get hit with Microsoft support scams, taking over their browser, blasting error messages on full volume, locking the browser, and generally being a nuisance and the desperate pleas for help from loved ones when that happens.

I’m sure there are a number of you who have observed clickfix malware, urging users to paste what is ultimate a wad of malicious powershell into a run prompt to fix a website, only to end up with a malicious payload instead.

And even still, I’m sure there are many of you who have had friends and family click a sponsored link on their google search results, and end up compromised. with a RAT, Trojan, or Information Stealer.

I’m here to tell you, whether at home or in the enterprise, the internet, as wonderful as it can be, is also a complex weave of services that are constantly being abused to do terrible things to people. So, using ad blocking and/or threat blocking technologies should never be controversial to protect yourself – either at work, or at home.

I will be making recommendations that can be used at home, or on enterprise networks. Let’s get started.

uBlock Origin

uBlock Origin is the reigning champion of ad blocking on the internet today. However, there are some complexities that I am obliged to talk about regarding uBlock Origin, and its future.

Not that long ago, ManifestV2, the platform used for web browser plugins was updated on most Chrome-based browsers (Google Chrome, Chromium, MS Edge) to Manifest V3. To put it bluntly some key features for how uBlock Origin does it job and blocks ads before they are requested have been severely crippled. The developers of uBO (uBlock Origin) have made uBOL (uBlock Origin Lite) for Manifest V3 browsers, but they put it bluntly by saying it’s not a one-to-one solution. It is however, better than nothing, and better than most competing solutions out there.

Enterprise Deployment - Google Chrome/Microsoft Edge, and uBlock Origin Lite (uBOL)

If you are looking for solutions on how to install uBlock Origin Lite across your enterprise, for either Chrome or Microsoft Edge, This thread from Reddit’s /r/sysadmin subreddit, and a discussion ticket for their github are a great place to start.

Enterprise Deployment - Firefox ESR and uBlock Origin (uBO)

For uBlockOrigin on Firefox, You’ll want to use Firefox ESR, and the plethora of documentation on how to deploy it enterprise-wide here. with particular attention to this article on pre-installing extensions.

Other notes (for home users)

Alternate Browsers and Manifest V2 Support

I’ve heard that other Chrome-based browsers like Vivaldi and Brave plan on continuing to support Manifest V2, but only so long as the code is present in google’s Chromium project. …Which means that when google removes the code, it’s dead for good. For home users still wishing to use these browsers, I would recommend switch to uBOL to avoid the trouble altogether.

For fans of Firefox that aren’t necessarily fans of the Artificial Intelligence expansions that Mozilla has more or less forced into Firefox, in my opinion, there are two ways forward, if you want a browsing experience without AI integration:

  • If you consider yourself tech saavy, utilise about:config and disable every key related to browser.ml features, as documented here.
  • Consider switching to Librewolf for your Operating System of choice. Hardened security, No AI integrations, uBlock Origin installed by default.
Other Extensions for home use

Sponsorblock

Less of a safety feature and more of a Please stop wasting my time with sponsored video time for Factor, NordVPN, Raid: Shadow Legends, Zenless Zone Zero, World of Tanks, War Thunder or whatever else, Sposorblock is a crowd-guided extension that identifies portions of a video through the user community that are considered ads or requests for interaction that the user can skip. Here is the website, you decide if you want this extension. It’s been a massive time-saver for me.

sb1
sb1489×115 36.3 KB

Sponsorblock identifies portions of a video that are advertisements or requests for video interaction, and by default will automatically skip over them and is highly customizable regarding what content it can be configured to skip.

Dark Reader

Many of us in technology spend all of our waking time in front of a monitor. Most websites don’t have a dark theme, and will probably never have one. Dark Reader is the solution for you.

dr1
dr1394×852 97.4 KB

dark reader is available for most modern web browsers, and can be enabled/disabled at will. Additionally, if the way its attempting to change the theme of a website is not working correctly, under the More tab, consider trying out the different options under Theme generation mode.

Other ad-block options: Enterprise

Making use of native assets

For enterprises looking to use network-based adblocking technology, I would recommend checking your Network Firewalls, Proxies, Network Access Control, Endpoint Security solutions and/or your IDS/IPS platforms (cough), for options to integrate ad-blocking into the browser, DNS lookups and/or TLS SNI to block threats proactively.

Utilizing Emerging Threats, and Independent Threat Intel resources

Consider making use of threat intelligence products (both free and non-free) for blocking access abused infrastructure – For instance, the ETOPEN/EPRO Ruleset categories – REMOTE_ACCESS, FILE_SHARING, TA_ABUSED_SERVICES, DYN_DNS, and to a lesser extent, ET_HUNTING and ET_INFO categories are all great starting points for reviewing sites and services that are commonly abused by threat actors.

Also consider solutions from independent security researchers like this repo that contains a list of abused web resources created by BadSamuraiDev, or this one by hagezi containing dns-blocklists in a variety of formats. Make use of block lists such as spamhaus DROP, abuse.ch SSLBL (SSL Blocklist), and many more.

I would also advise that if your tools can support Application detection, or if you can find a list of DoH providers, to block DNS over HTTPS hosts over both DNS as well as TLS SNI checks, if possible. Why? The efficacy of DoH as a privacy solution is already kind of questionable, especially if users choose to utilize a DoH server ran by their ISP, or large corporate entities known for data gathering, and erosion of privacy. But let’s assume that you trust your DNS over HTTPS provider from a privacy perspective. From an IT/Enterprise network perspective, abuse of DNS over HTTPS is frequent, both for some forms of malware using the protocol itself for command and control (DNS tunneling over DoH), or exclusively using DoH lookups for recovering command and control domains, because of the encryption it provides. On top of that, it makes troubleshooting DNS/Host resolution problems in an enterprise environment that much more difficult. Your provider gets to see the queries, but you don’t.

Open-source on-site solutions

For small office/home office deployment, be aware that pfSense has the well-known, but somewhat complex pfblocker-ng suite for integrating into the rest of pfSense, while OPNsense features integrations with Suricata. Finally, another small, lightweight (and open-source) solution for SOHO usage is pi-hole.

Other adblock options: Home

Open-source, on-site solutions and blocklists

For the most part, my recommendations for alternative ad-blocking solutions have already been covered by the things I’ve suggested in the enterprise adblocking section, in particular, making use of the Emerging Threats Ruleset, as a part of a OPNsense installation with Suricata, pfblocker-NG with pfSense, and/or pi-hole, along with utilizing the vital, and difficult work that independent researchers perform, often for free with the blocklists they produce:

BadSamurai blocklist
hagezi DNS blocklist
spamhaus DROP
abuse.ch SSLBL

Be aware that for friends and family you set up pfSense/OPNsense, or pi-hole for, that you’ll likely be relegated to technical support for their network security gear, so keep this in mind if you elect to set up any of these solutions!

Non-default DNS servers

  • I have opinions on DNS over HTTPS. You’re welcome to disagree with them, but it neither affords your privacy or security, especially by using Google, Cloudflare, or your ISP’s DoH servers. It’s just opaque and harder to troubleshoot when network problems occur. I do not recommend using DNS over HTTPS at all. If you’d like to check to see of DoH is disabled on your browser of choice, this helpful article by Akamai shows how to check DNS over HTTPS settings in Google Chrome, Microsoft Edge, and Mozilla Firefox.
  • Quad9 is generally an okay DNS service, but its more anti-malware than it is ad-blocking. If you have no desire to set up pfblocker, pi-hole or any other DNS filtering solution (or a hosts file), configuring home systems to use 9.9.9.9 as their primary DNS server might not be a bad plan.

Non-Default search providers

If google serves your purposes, and you’re already savvy enough to ignore then sponsored links, block them and/or ignore the AI generated responses, then that’s great. For everyone else in your life, set up startpage with an adblocker as the default search provider. While startpage is generally cleaner than google search, they still have sponsored links as the first results for a page. If you use an adblocker, the entire “sponsored” links area and “related searches” area disappears from the site, making it super clean, and effective. Note that startpage has a plugin for most modern browsers that can be manually installed in a home environment, or specified for pre-installation in enterprise environments. Do be aware however, both Microsoft Edge and Chrome force the user to manually enable the startpage plugin.

ccleaner1
ccleaner11798×1096 243 KB

a screen capture depicting a search on startpage with uBlock Origin disabled on Librewolf. Notice the sponsored links, and related searches that we do not desire.

ccleaner2
ccleaner21711×1018 209 KB

the same search page with uBlock Origin enabled. The sponsored results, and related searches sections have both disappeared.

Other Security and Privacy Solutions (home)

On VPN usage at home

Because I’ve seen ads for NordVPN all over the net, and I’ve seen cases where VPN providers lied about no-logs policies, all I’m going to say is that it’s very hard to disprove a negative (e.g. a no-logs VPN provider), and on top of that, any service that claims to provide free VPN service (Edge VPN, Cloudflare Warp, TunnelBear, etc.) I want you to remember the iron rule of the internet: Nothing is free, and if they claim its free, you’re very likely the product, and not the customer. This also applies to paid commercial VPNs as well. The only thing that you, as a consumer are guaranteed to get is an IP address in another region. That’s it. There’s no other guarantees.

What about Tor?

As far as enterprise usage is concerned, usage of Tor and the Tor browser bundle should never be allowed, because it represents a huge risk, both in terms of security policy bypass, as well as a vector for data exfiltration. Use whatever application blocking you have available to disable use of Tor Browser Bundle, and/or Tor in general from a host-based perspective. As far as blocking Tor network traffic, and Tor nodes in general, there are sites out there where you can simply request the full node list, and use that for creating firewall rules. Additionally, rules.emergingthreats.net hosts a regularly updated tor node list as a part of the ruleset here, and here, as well as in the /rules directories for Suricata 7.0.3, 5.0, and snort-2.9.0.

As for its use in a home environment, I still don’t care for it. Frankly, I don’t like the idea of sharing exit nodes with others who just blast out malicious traffic all over the internet, and abuse the tor network in general. I like it even less that there’s not really a way to know whether or not someone is running tcpdump on an exit node. As far as privacy is concerned. Tor Traffic from an ISP’s (or a potential attacker’s) perspective is encrypted, but in terms of session data, certain anomalies stand out:

  • TLS connections on non-standard ports (e.g. things that are not port 443/tcp when using obfs4 or web tunnel bridging)
  • TLS Server Name Indicators for Web Traffic that look like they’re Domain Generation Algorithms (with obfs4 configured as the bridging type)
  • Very long running flows to the IP addresses with these DGA-like TLS sessions (obfs4)
  • Rapid DNS requests to a large number of DNS domains that begin with stun.* (Indicating STUN/WebRTC emulation via “Snowflake” bridging)
  • Rapid number of STUN bind requests after DNS queries, Especially STUN bind requests that are not on port 3478 (again, “Snowflake” bridging)
  • Extremely long running sessions to odd websites ( for example, www.myphpadmin.net for meek-azure/domain fronting bridges)

So even if they can’t see what you’re doing, Tor traffic is still blatantly obvious when observed.

Use it if you want, but understand the risks. As a wise man once said, “Nobody is going to jail for you.” If it has to stay private, there is no privacy on the solution on the internet you can trust. Period.

Conclusions

These are just a few ideas for things to take a closer look at either at home, with your friends and family, or on the job, protecting your network. Did I miss something that you use for protecting yourself when browsing the web (at home or at work)? A favorite tool or threat intel source you use? Drop a comment. Let me hear your thoughts.

as always, happy hunting.

-Tony