Application Scope: Security > Browsers

print this document

Web Browser and Security

To some end users, Web surfing may seem anonymous and safe. It is not. To enable the information exchange between the end user and a Web site, the Web server need to know at least where the end user is located so that the server can respond to the user's request by sending back information such as a Web page, a document, an audio clip, a video recording, or a combination of multiple files. The location of the end user is known to the server in the form of IP address.

In addition, the user may also intentionally or un-intentionally reveal personal information to the Web server. The information may be sent through a Web form, a cookie, a plug-in, or some spyware.

  1. The browser can run malcode in the form of scripts or executables. Most Web browsers can be configured so that certain "helper" applications are automatically run when files of particular type are downloaded from the net. Although this is a good way to provide extensibility, you should not configure your Web browser so that programs downloaded from the net are automatically executed. Doing so poses a profound risk, because it provides a way for outsiders to run programs on your computer without your explicit permission.
  2. An attacker may employ a man-in-the-middle attack.
  3. An attacker may eavesdrop on network traffic. Confidential information transmitted between the Web server and the browser can be intercepted.
  4. The Web server may not be safe and secure.
    • An attacker may take advantage of bugs in your Web server or in CGI scripts to gain unauthorized access to other files on your system, or even to seize control of the entire computer.
    • Confidential information that is on your Web server may be distributed to unauthorized individuals.
    • Bugs in your Web browser (or features you are not aware of) may allow confidential info on your Web client to be obtained from a rogue Web server

http://www.unix.org.ua/orelly/networking/puis/index.htm

http://www.w3.org/Security/Faq/

Cookies --- A cookie is a short piece of information, in the form of plain text, created by a Web site and stored by the user browser to store some data about the user visiting that Web site. The information is typically used to identify the user and facilitate the communication between the user and the Web site when the user visits the same site again next time. When the user visits the same site again, the server can ask the browser to check the availability of a cookie. If a cookie is available, the server can ask the browser to pass the cookie back to the server. By default, only cookies from the originating site can be passed back to the same site. However, the browser can potentially pass any cookie to a Web server, including cookies from completely different Web sites.

Because many Web servers use cookie to maintain user-server communication status, it impractical for the user to reject cookies from any Web site. To manage cookie settings, please refer to a short description at http://support.dsu.edu/webct/students/cookie_setting.asp

Authors: DSU Web Support Team. Page last updated on 03/06/2006