This article can also be found in the Premium Editorial Download "Information Security magazine: How to stop data leakage."
Download it now to read this article plus other related content.
3. User information
All three browsers allow the user to delete potentially sensitive information--history, off-line content (e.g., media player content in temp files), cookies, temporary files cache, registry modifications and other sensitive data.
Firefox, as well as Netscape and IE 7.0, allow users to clear information such as history, cookies and cache. All sensitive information in IE 7.0 can be cleared with a single mouse click.
All three browsers feature site-parsing engines that can spawn multiple threads for retrieving data and thus download faster (Firefox was the first to integrate this feature, a key to its early popularity). The security concern with multi-threading is the browser's ability to secure each of, say, 1,000 concurrent sessions spawned on a site. We tried to compromise individual tunnels using man-in-the-middle attacks to inject untrusted code, but all the browsers thwarted our attempts.
5. URL Obfuscation
An offshoot of the antiphishing capabilities in all of the browsers are their ability to identify sites that may be attempting to obfuscate their URL patterns. For instance, a malicious site that wants to get your credit card information might launch a browser window that looks exactly like your online bank. While it might look and feel like your Acme Bank site, www.acmebank.com, in reality, the hidden URL would have shown it was coming from the clever phony site, www.my-acmebank.com.
IE 7.0 requires each Web site to display its URL, while Firefox and Netscape still retain the option to hide the address bar. Additionally, IE 7.0 allows you to limit the URL character set to the language of your choice, thwarting hackers who use foreign characters to fool users. While the option to hide the address bar embraces user-friendliness, it limits the ability of administrators trying to centrally manage these configurations.
This was first published in January 2006