Month: June 2014

Posted on

Browser plug-ins and extensions. The backdoor to your data and an enemy to privacy.

Over the years web browser have become much more secure. All modern browsers are now pretty well protected against most types of attacks and fixes are released promptly after a new vulnerability is discovered. Browser vendors like Google even offers cash prizes to those who reports security holes in their Chrome browser. 

So where do we find most of the threats against browser users today? Anyone remember the Flashback trojan which infected over 600,000 Macs? How did it infect them? The Java plug-in was called from a web page and loaded a special Java applet that exploited a bug, gaining access to the system. And how is Java connected to your browser? It’s runs as a so plug-in which most often is installed separately but with access to the browser itself through a plugin API. Nothing the browser vendor does can circumvent the fact that this access to the user can represent a threat, and a threat that can only be identified and fixed by whoever wrote and published the plug-in or extension. 

Now picture a browser with multiple plug-ins – Java, Flash, PDF reader, QuickTime, Silverlight and a bunch of extensions you can easily pick up and install, and you’ll see just how much plug-ins and extensions increase your so called attack surface. While browser vendors are under heavy scrutiny to write secure code, plug-in and extension developers do not seem to be put through the motions in the same way, and many of them have mediocre security records (to put it nicely).

The great thing about compromising a plug-in or extension is that you can target multiple platforms in one go. Compromise Flash and you have a barn door open into a bunch of browsers and the platform they run on, and you can wreck a lot of havoc before it’s discovered, *if* it is discovered that is.

Plug-ins and extensions lack behind browsers as far as security goes and their often frequent automatic updates adds to the threat they represent. Some of these buggers are updated as often as once a month making it really difficult to keep track of development and security implications. In most cases frequent updates is a good thing making sure bugs are fixed and security is increased, but with plug-ins and extensions it also complicates matters and make it hard for the user to know where they are at as far as security goes. Most people think that as long as their plug-ins and extensions are installed through a familiar trusted vendor like Google or Mozilla they will be safe and do not pay much attention to the security risk. This is not the case.

You don’t have to look very long and hard to find studies about how big a problem browser plug-ins and extensions are. A study from 2011 study found that 94% of Adobe Shockwave, 70% of Java, 65% of Adobe Reader, and 42% of QuickTime installations in the enterprise were out-of-date. Although very frequent updates is a threat in itself keeping them around for too long is even worse. You simply can’t win.

Some will claim that browser plug-ins and even extensions should be on their way out. Plug-ins are still often necessary (Flash and Adobe) but companies like Google and Mozilla are working on solutions that would make many of them obsolete. The old plug-in API’s are also being phased out. As for extensions they are still very much alive and kicking and being put out there by anyone who can put together some pieces of code and think they have found a need they would like to fulfill. There are also those who would like to see a browser that does it all without needing to expose the user to the threat plug-ins and extensions represent. Personally I would welcome such a browser, but for the extension addicts it may be a step back, but one worth taking if you care about your security and privacy.

 

Posted on

Atom. The new and different editor from GitHub.

Github now has their own editor and have named it Atom. As a side note it’s being described as “web native”. What does that mean? To put it simple, it’s built on top of web browser technologies, namely Chromium (which Chrome is built on). More on that below.

The fact that GitHub now has a new code editor is what has attracted most interest, but the real news is how this editor was conceived and designed.

Since GitHub is hosting code in the cloud it would be obvious that their editor was somewhat cloud based and/or an web app of some sort. There’s plenty of such editors. like Orion and CodePen. But what Github created is completely different. It’s not a browser hosted web app. Although a lot of the implementation is HTML/Javascript based it doesn’t run in a browser. Github found that web app based editors had some limitations from a security standpoint with regards to accessing the local file system and can’t run local sub processes. 

So what did they do?

They took the source code of Chromium, the open source browser that Chrome is based on and customized it to work with the Atom web app. Put simply they have removed all of the security features built into the browser and this allows Atom to access anything it needs to. From the users point of view this is a very strange situation because they are running a web app but they have to download a special desktop application to run it! And a hefty download it is. Around 50 MB, but who cares about such things these days anyway?

The advantage of this approach is that the web app part of the system can be continuously updated and it has all of the interactive qualities of a web app but without the security restrictions mentioned above. As the Atom blog points out it also solves the problem of browser compatibility:

“Another great thing about writing code for Atom is the guarantee that it’s running on the newest version of Chromium. That means we can ignore issues like browser compatibility and polyfills. We can use all the web’s shiny features of tomorrow, today.”

The disadvantage is that the user has to download a special desktop app and can’t just move to another machine to work without downloading and installing the app. As I see it, minor.

Atom can currently run on the most popular OS’s, Windows, OSX and even Linux (some distributions).

The editor looks great and has the look and feel of Sublime Text. This is probably not a coincidence. It seems like GitHub has aimed at offering a free version of this popular programmers editor. And according to many who writes code they are very close to being successful in this regard.

If you like to use an advanced text editor and want something different and new you should most definitely take a look at Atom. Yes, you will be downloading a complete web browser to run it, but who cares as long as you get your job done in an elegant and well functioning shiny new editor called Atom! Get it here:

Atom.io

 

 

 

 

 

 

Posted on

Browsers on Linux.

As a long time Linux user finding a good and stable web browser have always been important. I used Opera for Linux since v. 7 and was happy with it up to v 12.x. It was my browser, e-mail client and even Usenet news and IRC client.  I could do it all in Opera. Then Opera started lagging behind and I was looking for other options. The two obvious ones were Google Chrome and Firefox. Firefox as the default browser on most major Linux distributions was first of course and I used it for a while without problems. Then Adobe was dropping Flash for Linux and I started having problems with certain Flash based content. I decided to try Chromium and also Chrome and it ended up becoming my new default browser. After some time I ended up Chrome since Chromium also had Flash problems while Chrome has it’s own Pepper Flash implementation making sure you always have the latest version available. Chrome worked very well on Linux and synced without problem between computers and to my Android phone.

Then after a trivial Chrome update the browser stopped working. And since a browser is a piece of software that needs to work all the time I freaked out and went Firefox again but soon got stuck on a site that needed the latest and greatest Flash which Firefox couldn’t offer. I looked for a solution and found a way to get Pepper Flash from Chrome to work in Firefox through a wrapper application. But I still had problems with sites that detected the wrapper and wouldn’t play. Now what? It turned out that the non working Chrome was fixed after a few days and I could return to my prefered browser. 

I had been reading about Google’s Aura graphics stack which replaced GTK+ on Linux, and got it whether I wanted it or not with a recent update. I use Gnome-Shell and was going to install a couple of extensions to my desktop, but no, that didn’t work anymore in Chrome with Aura. Back to Firefox to do that and it works. I then thought I would simply use Firefox again for a while but found out that I for some reason do not have full hardware acceleration working with my graphics card. It turns out it is because Firefox blacklists computers with dual graphics cards like mine has even if one of them has been disabled. In Chrome I have full hardware acceleration, but can’t install Gnome-Shell extensions. 

Finding the perfect browser on Linux has been nearly impossible since I left Opera 12.x, and I’m pretty sure it will continue to be a matter of small compromises until one browser vendor gets it right, or a new shiny browser comes along supporting Linux perfectly. I’m not sure what is most likely to happen.