Announcement

Collapse
No announcement yet.

Most secure web browsing without sacrificing functionality?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Most secure web browsing without sacrificing functionality?

    I've been quite impressed with the speed of internet web browsing using Chrome on a low-end (~$150 just recently) Windows 8.1 Zbox PC (http://www.newegg.com/Product/Produc...-045-_-Product). It's at least as fast (maybe faster) at browsing as my Alienware i7 laptop, which runs Windows 7 Ultimate and has 24GB of memory. The Alienware i7 is a year old, so maybe the piling of Microsoft/ESET/who-knows-what updates have taken a toll. Both the Zbox and the i7 laptop have SSD's, but the i7 is also running ESET Internet Security, whereas the zbox is not. In fact, so far, while testing out the zbox, I haven't bothered with adding extra internet security, because I'm going to wipe it soon anyway. It's got me thinking: what's the fastest secure setup for internet browsing that doesn't cramp functionality? Ideas might be:
    1. Stay the course: use the z-box as a Windows 8.1 PC but just add a typical software internet security package. I have doubts as to how secure this would be, and I also have doubts that it will remain fast over time, especially as more and more Microsoft updates get installed,
    2. Chrome on Linux. Is that sufficiently secure by itself, or is more protection needed?
    [Begin Edit:]3. Boot Chrome OS. It appears to be read-only: i.e. anything which changes gets saved to the web, not to your chrome device. At least, that appears to be Google's goal. ASUS has several Chromebox's with strongly positive reviews right now in the $150-205 range, such as http://www.amazon.com/Asus-CHROMEBOX...asus+chromebox Alternatively, you can simply boot Chrome OS from a thumb drive without disturbing the OS on your regular hard drive (whether it be Windows, Linux, or whatever): https://www.youtube.com/watch?v=NRHeQBRl7vE That way, when you're finished with Chrome OS, you just unplug your thumb drive, and after rebooting, it's like you never left. In fact, it sounds like you don't actually need a hard drive at all. Alternatively, you can of course replace the regular OS on your hard drive with Chrome OS if you wish.[End Edit]
    4. Run Chrome on a VM that gets completely wiped and rebuilt as often as you like so as to eradicate any malware that might creep in while browsing.
    5. Similar to #4 but without the VM: reboot and re-install a baseline image, thereby destroying any malware acquired since the last major wipe.
    6. Run everything from volatile memory (e.g. by using Puppy Linux or equivalent). Then after a simple reboot, everything's as fresh as brand new--i.e. guaranteed zero residual presence. It could boot from a write protected SD card, a CD-ROM, or do a net-boot.
    7. Other ideas?

    I wouldn't be surprised if the best answer isn't even on the above list.
    Last edited by NeverDie; January 2nd, 2015, 10:30 AM.

  • #2
    There are a million options and everyone will have their own opinions, but here are my thoughts.

    Windows 8.x is surprisingly fast compared to previous versions of Windows, especially on low end hardware. MS optimized the OS heavily to allow it to run on tablets. Some of the performance differences you are seeing may be because of that alone.

    Windows shouldn't be getting slower due to OS updates. If you are seeing slowness over time it is usually because of third party software that is running automatically at startup and in the background. Disabling the stuff you don't need to run automatically (nearly all of it in my experience) can make a huge difference.

    Windows 8.x has anti-malware built in and it's very lightweight and efficient. If you are very prone to getting malware then you might need something more heavy handed, but I have been using the built in Windows Defender on several Windows 8 boxes for the past couple of years with no issues.

    I would try temporarily disabling your third party anti-malware software on your laptop and see if you notice a difference in performance. I'm not familiar with ESET, but many anti-malware programs are just horrible in terms of their affect on system performance. That may be another reason why your "low end" PC is faster than your "high end" PC.

    My personal strategy would be Windows 8.1 64bit w/built in anti-malware + IE11 + EMET. The 64bit hardware/OS is important because it includes certain protections that don't exist on most 32bit architectures (DEP, buffer overflow protections for example). IE11 would seem counterintuitive to most people due to past reputation. However, IE11 actually has a better track record than it's competitors in recent years. For example, IE11 + EMET is the only major browser to go unhacked in the last Pwn2Own hacking competition even though a successful attempt would have been worth hundreds of thousands of dollars. EMET is a tool from MS that "hardens" applications running on Windows including IE. More info on how to enable EMET...

    http://www.howtogeek.com/190590/quic...-toolkit-emet/

    In my opinion, that would be a more functional and user friendly solution compared to increasing security by moving to environments that are secure because they lack so much functionality or because they are being "reset" constantly.

    Comment


    • #3
      What I do for systems that are prone to malware and viruses (ie the kids pc's) is I loaded XP on all three of them. XP is fast and has a very small memory footrpint which leaves a lot more memory for processing. Turn off automatic updates as I do not want the bloat. I load Microsoft Security Essentials for a very good and light weight anti-virus software. After building them and getting their software loaded I created an Image of the entire C partition. Now as soon as one of my kids has an issue I simply restore the partition rinse and repeat. Been doing this for several years and it's never failed.
      -Rupp
      sigpic

      Comment


      • #4
        Originally posted by Cleavitt76 View Post
        There are a million options and everyone will have their own opinions, but here are my thoughts.

        Windows 8.x is surprisingly fast compared to previous versions of Windows, especially on low end hardware. MS optimized the OS heavily to allow it to run on tablets. Some of the performance differences you are seeing may be because of that alone.

        Windows shouldn't be getting slower due to OS updates. If you are seeing slowness over time it is usually because of third party software that is running automatically at startup and in the background. Disabling the stuff you don't need to run automatically (nearly all of it in my experience) can make a huge difference.

        Windows 8.x has anti-malware built in and it's very lightweight and efficient. If you are very prone to getting malware then you might need something more heavy handed, but I have been using the built in Windows Defender on several Windows 8 boxes for the past couple of years with no issues.

        I would try temporarily disabling your third party anti-malware software on your laptop and see if you notice a difference in performance. I'm not familiar with ESET, but many anti-malware programs are just horrible in terms of their affect on system performance. That may be another reason why your "low end" PC is faster than your "high end" PC.

        My personal strategy would be Windows 8.1 64bit w/built in anti-malware + IE11 + EMET. The 64bit hardware/OS is important because it includes certain protections that don't exist on most 32bit architectures (DEP, buffer overflow protections for example). IE11 would seem counterintuitive to most people due to past reputation. However, IE11 actually has a better track record than it's competitors in recent years. For example, IE11 + EMET is the only major browser to go unhacked in the last Pwn2Own hacking competition even though a successful attempt would have been worth hundreds of thousands of dollars. EMET is a tool from MS that "hardens" applications running on Windows including IE. More info on how to enable EMET...

        http://www.howtogeek.com/190590/quic...-toolkit-emet/

        In my opinion, that would be a more functional and user friendly solution compared to increasing security by moving to environments that are secure because they lack so much functionality or because they are being "reset" constantly.
        Interesting info! You make an interesting case with your pwn2own example. I'd feel safer if there were a guaranteed way to detect a penetration if it were to occur, but if there is no guaranteed way (?), you have a compelling argument. I'm going to take a closer look into it. Thanks for the nudge!

        Meanwhile, I just re-wrote option #3, which I then bolded (see OP above) just to demark what changed, based on recent reading about Chrome OS. Did Chrome OS get owned in pwn2own? You've got me curious. I'd like to look into that as well and cross off my list everything which got owned in those types of competitions. Prior to your post I was only peripherally aware those competitions existed, so, again, thanks for the pointer.
        Last edited by NeverDie; January 2nd, 2015, 09:35 AM.

        Comment


        • #5
          Originally posted by Rupp View Post
          What I do for systems that are prone to malware and viruses (ie the kids pc's) is I loaded XP on all three of them. XP is fast and has a very small memory footrpint which leaves a lot more memory for processing. Turn off automatic updates as I do not want the bloat. I load Microsoft Security Essentials for a very good and light weight anti-virus software. After building them and getting their software loaded I created an Image of the entire C partition. Now as soon as one of my kids has an issue I simply restore the partition rinse and repeat. Been doing this for several years and it's never failed.
          This is similar to what I was planning to do for my son's computer, which doesn't contain anything vital. I'm hoping WHS will simplify some of that, at least in terms of recovering the PC's of other family members after-the-fact. WHS has finally bubbled to the top of my to-do list, as I just recently lined up some dedicated hardware to install it on.
          Last edited by NeverDie; January 2nd, 2015, 09:53 AM.

          Comment


          • #6
            Originally posted by NeverDie View Post
            This is similar to what I was planning to do on my son's computer. I'm hoping WHS will simplify some of that, at least in terms of recovering the PC's of other family members after-the-fact. WHS has finally bubbled to the top of my to-do list, as I just recently lined up some dedicated hardware to install it on.

            You may want to consider running HS3 and WHS on the same system. I recently merged my two systems and I will never look back. I do understand that you're running HS3 Linux on a super low power system so it would entail changing to HS3 Windows. I'm not sure that the low power system would choke though. I have found WHS to be extremely light weight. It simply doesn't really do anything but sit there using electricity. It's uses next to no resources unless you use its on the fly video transcoding. Something I have never done even once.
            Originally posted by rprade
            There is no rhyme or reason to the anarchy a defective Z-Wave device can cause

            Comment


            • #7
              Originally posted by S-F View Post
              You may want to consider running HS3 and WHS on the same system. I recently merged my two systems and I will never look back. I do understand that you're running HS3 Linux on a super low power system so it would entail changing to HS3 Windows. I'm not sure that the low power system would choke though. I have found WHS to be extremely light weight. It simply doesn't really do anything but sit there using electricity. It's uses next to no resources unless you use its on the fly video transcoding. Something I have never done even once.
              Good to know. Does WHS also handle the backing-up of Linux systems and Android systems on the home network, similar to how it manages that activity for Windows computers? I've been assuming it doesn't--purely on the theory that Microsoft has a lot of capitalist reasons to fight Linux and Android--so I was planning to put whatever the Linux equivalent of WHS is (I have no clue yet what that would be) onto the Linux HS3 low-power box to handle linux (and possibly Android) backups. There's also the possibility of running both WHS and its Linux counterpart at the same time using VirtualBox or similar, provided it doesn't cause any noticeable latency in HS3, but that experiment will be easier to run after I've gained some familiarity with WHS, not to mention VirtualBox as well.

              Comment


              • #8
                I don't think WHS will back up a Linux machine. I do believe that it can handle Apple machines though (TimeCapsule?). For linux and Android I would just run backup software on the respective machines and back up to a directory on the WHS machine.
                Originally posted by rprade
                There is no rhyme or reason to the anarchy a defective Z-Wave device can cause

                Comment


                • #9
                  Originally posted by Rupp View Post
                  Now as soon as one of my kids has an issue I simply restore the partition rinse and repeat. Been doing this for several years and it's never failed.
                  Rupp,
                  Do you have those PCs isolated on your network somehow? I'd be concerned that malware could spread to other PCs once inside your LAN.
                  Mike____________________________________________________________ __________________
                  HS3 Pro Edition 3.0.0.548

                  HW: Stargate | NX8e | CAV6.6 | Squeezebox | PCS | WGL 800RF, Rain8Net+ | RFXCOM | QSE100D | Vantage Pro | Green-Eye | X10: XTB-232, -IIR | Edgeport/8 | Way2Call | Ecobee3

                  Comment


                  • #10
                    Just ran across something which claims to be a "secure hardware browser" that you boot from a USB port. Too bad it self limits to just 30 minutes per use:


                    http://www.amazon.com/ZeusGard-Secur...secure+browser

                    On the plus side it suggests there's some merit to the question I asked in the OP. Perhaps there's an equally good live linux boot .iso I could use for free?

                    Meanwhile, I found a USB flash drive with a hardware write-protect switch. If Chrome OS works with the switch engaged, then that will give me confidence that it works in a read-only manner:


                    http://www.amazon.com/gp/product/B00...=AVM1Z79WGIB6T
                    I ordered it, but it won't arrive until Monday. Meanwhile, I think I'll just test the idea with a CD-ROM. Not as quick, but cheap.
                    Last edited by NeverDie; January 2nd, 2015, 03:17 PM.

                    Comment


                    • #11
                      Looks as though there are a number of Linux security distros that offer live boot and address, to varying degrees, the concerns listed above. Anyone here been down this road before and care to recommend some? I've barely scratched the surface, but, for example, Qubes or Kali seem like they could have relevance: http://lifehacker.com/linux-security...qub-1658139404

                      I'll still look into EMET and the pwn2own results. Presently I'm scoping out plausible alternatives to compare against one another when I do the first pass reviews.

                      Comment


                      • #12
                        Interesting review of ZeusGard, but even more interesting are all the hacker comments which follow it about the Zeusgard approach: http://krebsonsecurity.com/2014/07/w...omment-page-1/

                        I'm sure the ZeusGard is better than nothing, but since it is allegedly read-only and therefore can't be updated, any security holes that are subsequently discovered regarding either that version of Debian it's running or that browse version, there's allegedly no way to patch it.

                        Comment


                        • #13
                          Originally posted by NeverDie View Post
                          Interesting info! You make an interesting case with your pwn2own example. I'd feel safer if there were a guaranteed way to detect a penetration if it were to occur, but if there is no guaranteed way (?), you have a compelling argument. I'm going to take a closer look into it. Thanks for the nudge!

                          Meanwhile, I just re-wrote option #3, which I then bolded (see OP above) just to demark what changed, based on recent reading about Chrome OS. Did Chrome OS get owned in pwn2own? You've got me curious. I'd like to look into that as well and cross off my list everything which got owned in those types of competitions. Prior to your post I was only peripherally aware those competitions existed, so, again, thanks for the pointer.
                          Unfortunately, it's hard to find the detailed results because the website has been taken offline. There are articles, but they only have partial coverage of the results and they don't go into details about the severity of the vulnerabilities.

                          As far as I remember, Chrome OS wasn't a target in that competition. The focus tends to be on the most common configurations out there and I don't think Chrome OS has enough market share at this point. Having said that, it would probably make for a fairly difficult target because there isn't much functionality to exploit.

                          Chrome browser, IE (standard), and Safari were all in line with each other. They were each exploited, but the exploits weren't easy or plentiful. FireFox, Adobe Acrobat, and Android OS stood out as being compromised quite a few times if I recall correctly. IE 11 + EMET was not successfully compromised.

                          The only other thing I would add to your list of security measures is to consider launching the browser under the context of a non-admin user and perhaps even a dedicated "web browsing" user account. Most attacks end up being executed as the user account that the browser process is running under. Using a non-admin user limits or completely invalidates the system level damage that can be done by most exploits. Using an account other than your own prevents most exploits from being able to damage your account, user config, or personal files. Some modern browsers run under a non-admin context even if the user account has admin privileges. I know that IE 10 and 11 do this. I think Chrome may do it too, but I'm not positive.

                          Comment


                          • #14
                            Originally posted by Cleavitt76 View Post

                            As far as I remember, Chrome OS wasn't a target in that competition.
                            Confirmed. According to https://nakedsecurity.sophos.com/201...nd-win-150000/ "Note that the underlying platform is the 64-bit version of Windows 8.1 in all cases, unless you're taking on Apple's Safari browser."

                            Comment


                            • #15
                              I hadn't realized it until just now, but allegedly Windows 8.1 Pro comes with Hyper-V already inside it: http://technet.microsoft.com/library/hh857623.aspx

                              I imagine that should make creating an isolated windows vm fairly easy. You can even run a "guest operating system" such as Linux within it.

                              Allegedly Hyper-V is also in Windows 10 Technical Preview, so that would be another (free) way to try it out.
                              Last edited by NeverDie; January 3rd, 2015, 05:05 PM.

                              Comment

                              Working...
                              X