Howto: Register Firefox Portable as the default Windows browser


Ramesh has written some instructions detailing how to register Firefox Portable as the default browser for Windows XP and Windows Vista.

He uses a utility called DefaultBrowser to define the default browser in XP, and uses a tool called RegisterFirefoxPortable to do the same in Vista.

This is pretty slick, something I’ve been thinking about doing for a while.

CMU announces free Firefox add-on to increase browser security against DNS flaw and digital signature problems


Carnegie-Mellon University is making available a free add-on for Firefox 3.0 that’s intended to increase browser security.

The Firefox add-on was developed at the university’s School of Computer Science and College of Engineering and is available for free download. The Perspectives software not only protects Firefox users against attacks that might occur because of the recently disclosed software flawin the DNS, but it also defends against some digital certificate problems.

The extension provides two primary benefits:

  1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
  2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., http://www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

Because of the API used, the code only works in Firefox 3.x, not Firefox 2.x.

How it works, from the CMU web page:

“Perspectives is a new approach to help clients securely identify Internet servers in order to avoid “man-in-the-middle” attacks. Perspectives is simple and cheap compared to existing approaches because it automatically builds a robust database of network identities using lightweight network probing by “network notaries” located in multiple vantage points across the Internet.”

Original Source: networkworld.com

Recommendations for securing Internet Explorer, Firefox and Safari web browsers


Cert has a document that show some specific steps you can take to secure your Internet web browser.  Detailed instructions, including screen shots are provided, along with explanations of what you are configuring and what the potential ramifications are.

The document focuses on IE, Firefox, and Safari and includes supplemental reference links to additional content.  They also include links to configuring similar options for Opera, Mozilla SeaMonkey, Konqueror, and Netscape.

Found via ts/sci security blog.

Viewing Firefox’s Super Cookies


Pascal has a nice short post on Firefox’s “super cookies” and the information contained inside the browser’s DOM storage. He does a nice job describing comparing Adobe’s Flash local storage to this storage technology, and gives examples of how to view this data using sqlite3 in Unbuntu.

If you’re running Windows, you can try the open source SQLite Database Browser instead of sqlite3 to view the webappsstore.sqlite file, which is a binary file normally unreadable to humans. SQLite Database Browser allows you to browse the database as well as query it.

I think more and more Internet based data will be stored in this manner in the future, so I hope others will check out the information stored in this database file. I’m surely going to be examining the webappsstore.sqlite file the next time I need to perform any type of computer forensics information gathering on a computer.

Major Websense Content Filter Bypass Vulnerability


I almost missed this Websense vulnerability, since it was published 12-21-2007, while I was on vacation. I’ve verified it works on one of my client’s networks using Firefox Portable 2.0.0.4, Websense 6.1.1, ISA Server 2004 Standard, and User Agent Switcher 0.6.10.

Mr HinkyDink, who discovered the issue used Websense 6.3.1, so I’m sure other Websense versions are susceptible as well. His instructions are:

I. Install FireFox 2.0.x

II. Obtain and install the User Agent Switcher browser plug-in by Chris Pederick

III. Add the following User Agents to the plug-in

Description: RealPlayer
User Agent : RealPlayer G2

Description: MSN Messenger
User Agent : MSMSGS

Description: WebEx
User Agent : StoneHttpAgent

IV. Change FireFox’s User Agent to any one of the preceding values

V. Browse to a filtered Web site

VI. Content is allowed

Content browsed via this method will be recorded in the Websense database as being in the “Non-HTTP” category.

See also Websense KnowledgeBase article #976, Websense cleaned up this issue in database #92938.

I work with a ton of school districts, all who are required by law to provide content filtering. We constantly struggle to keep ahead of the various methods of bypassing the filter that students find, but I really don’t fault the kids for being curious, or trying to outsmart the adults. I think the fault lies with the teachers who are supposed to be supervising, but instead allow the students to do whatever they want.

Howto: download a web browser from Windows when your web browser doesn’t work


Suppose your Windows machine has a broken Internet Explorer – How are you supposed to get online to download patches and utilities to fix the problem? Use the built-in Windows FTP tool to download Firefox from a mirror site!

This was found on the SANS Internet Storm Center web site:

To start FTP, click StartRun and type cmd to launch a command prompt

From the command prompt window, type the following commands:

ftp ftp.osuosl.org
User: anonymous
Password: {your email address}
cd /pub/mozilla.org/firefox/releases/2.0.0.11/win32/en-US/
binary
mget *.exe

(say yes to getting Firefox Setup 2.0.0.11.exe)

quit

Now that you’re back to the command prompt, run this command, including the quotes as the file has spaces in the name:

"Firefox Setup 2.0.0.11.exe"

Thanks to William Stearns for these instructions! As newer versions of Firefox are released, replace the version number of Firefox Setup executable file with the appropriate numbers.

Improving the Firefox experience with CustomizeGoogle


CustomizeGoogle is a great Firefox extension I’ve recently started using. It does exactly what the name suggests by allowing the user to set many Google related preferences. Check out the two minute movie that shows how easy it is to install and configure.

The CustomizeGoogle web site describes the extension as

“CustomizeGoogle is a Firefox extension that enhance Google search results by adding extra information (like links to Yahoo, Ask.com, MSN etc) and removing unwanted information (like ads and spam). All features are optional.”

My favorite features CustomizeGoogle offers is the ability to enforce access to Google web sites, such as Gmail and Google Reader, through a secure https connection. You can also easily remove all the Google ads from the search engine, gmail, Google Groups, etc.

You can read more about it at the CustomizeGoogle blog.