Security?

Topic: Security? (Read 5311 times)

Security?

2014-08-07, 07:55:57

I was wondering how cautious we should be using Otter browser? Should we just use it for general browsing and avoid using any credential online with it? Or should we just avoid things like online banking etc?

Re: Security?

Reply #1 – 2014-08-07, 11:58:09

I assume it's pretty much as (in)secure as any other QtWebKit-based browser.

Re: Security?

Reply #2 – 2014-08-07, 12:25:53

Quote from: Frenzie on 2014-08-07, 11:58:09

I assume it's pretty much as (in)secure as any other QtWebKit-based browser.

Cookie settings, referrer settings, and proxy settings can make quite a difference.

On the cookies front, I would like to see the ability to block all cookies and then allow them for specific sites when browsing - like in Opera. The relevant settings in the configuration dialogue imply that this is planned, but not implemented yet.

On the referrer front, I'd like to see more options, not just yes or no to referrer, but it's good enough for the time being.

Plaintext adblock lists are also a great security option to have, when they ensure that there will be no connections to the blacklisted addresses.

Re: Security?

Reply #3 – 2014-08-07, 18:12:22

Quote from: ersi on 2014-08-07, 12:25:53

Quote from: Frenzie on 2014-08-07, 11:58:09

I assume it's pretty much as (in)secure as any other QtWebKit-based browser.

Cookie settings, referrer settings, and proxy settings can make quite a difference.

The above settings are privacy and not security related.
And since you have mentioned proxies - network settings are so poor (as any other WebKit-based browser) so it's impossible to properly configure the browser to work with a proxy.

Re: Security?

Reply #4 – 2014-08-07, 18:41:47

Quote from: krake on 2014-08-07, 18:12:22

Quote from: ersi on 2014-08-07, 12:25:53

Quote from: Frenzie on 2014-08-07, 11:58:09

I assume it's pretty much as (in)secure as any other QtWebKit-based browser.

Cookie settings, referrer settings, and proxy settings can make quite a difference.

The above settings are privacy and not security related.

What is the difference between privacy and security then? SSL? HTTPS? What's going into the web from browser's cache, history and address bar?

I guess you are saying that when the engine is chosen, then everything security-related is settled and cannot be improved. Only privacy things can, right?

Re: Security?

Reply #5 – 2014-08-07, 20:56:17

Quote from: ersi on 2014-08-07, 18:41:47

What is the difference between privacy and security then? SSL? HTTPS?

Stuff like that (encryption) and certificate chains, I suppose. Or at least that's what under "security" in Opera's preferences.

Re: Security?

Reply #6 – 2014-08-07, 21:07:47

Quote from: ersi on 2014-08-07, 18:41:47

What is the difference between privacy and security then?

That's something you could find out by yourself

In the meanwhile you could also ask yourself why to use different notions if they are the same thing.
BTW, can you tell me how a text file or a referrer can have an impact on security?

Quote from: ersi on 2014-08-07, 18:41:47

SSL? HTTPS?

Encryption (SSL) is security related while HTTPS is the name of the protocol.
(Frenzie was quicker

)

Quote from: ersi on 2014-08-07, 18:41:47

I guess you are saying that when the engine is chosen, then everything security-related is settled and cannot be improved. Only privacy things can, right?

Nope. This would be silly.
What I'm trying to say is that developing and maintaining a browser is costly and needs qualified manpower. Enthusiasm alone doesn't suffice. That's why we are left with only very few browsers and dozens of their deviants inheriting their shortcomings and security holes.

Re: Security?

Reply #7 – 2014-08-07, 21:28:25

Quote from: krake on 2014-08-07, 21:07:47

Quote from: ersi on 2014-08-07, 18:41:47

What is the difference between privacy and security then?

That's something you could find out by yourself In the meanwhile you could also ask yourself why to use different notions if they are the same thing.

Their usage overlaps to a considerable degree. That's why I am asking. We have to define these things for ourselves each and every time, because everybody understands it differently.

Quote from: krake on 2014-08-07, 21:07:47

Quote from: ersi on 2014-08-07, 18:41:47

SSL? HTTPS?

Encryption (SSL) is security related while HTTPS is the name of the protocol.

I know what they are (a little). The question is which one is security, which one is privacy, and why.

Quote from: krake on 2014-08-07, 21:07:47

What I'm trying to say is that developing and maintaining a browser is costly and needs qualified manpower. Enthusiasm alone doesn't suffice. That's why we are left with only very few browsers and dozens of their deviants inheriting their shortcomings and security holes.

This I can agree with, except for the qualified manpower bit. Given what kind of people pose as internet security experts in the media, I strongly doubt anyone is qualified in this area.

Re: Security?

Reply #8 – 2014-08-07, 22:51:49

Quote from: ersi on 2014-08-07, 21:28:25

I know what they are (a little). The question is which one is security, which one is privacy, and why.

As I already told you, encryption (SSL) is security related while HTTPS is the according protocol (secure connection)
If your bank PIN and PW would be transmitted in plain text and the traffic sniffed then you could encounter some problems.
Encryption of emails or any other data on your HD is also security related.

Google (and other search engines) are advertising a secure connection for protecting your privacy - your searches are private, nobody knows what you are searching for

Aside the fact that I couldn't care less if my search queries are transmitted in plain text, I also find it ridiculous when a company like Google is playing the role of a privacy guard. Last but not least such assertions make little sense.
Let me explain you why:
What are search requests and search engines meant for? To find something you are interested into. You will have to visit the sites your search results will show up. Otherwise it makes no sense to search. As soon as you visit the site at least two parties will log your IP, your ISP and the server you are visiting. Maybe even more parties will log your IP - like the NSA or/and your local three letter agency

Things might look better if you combine an anonymising proxy over SOCKS. However in this case it's only the combination of a proxy server and a secure connection which might ensure your privacy.

Re: Security?

Reply #9 – 2014-08-08, 05:48:00

Quote from: krake on 2014-08-07, 22:51:49

If your bank PIN and PW would be transmitted in plain text and the traffic sniffed then you could encounter some problems.

Is it the browser that determines if plain text is transmitted or is it the bank website's job to have control over what's being typed in there?

Quote from: krake on 2014-08-07, 22:51:49

Encryption of emails or any other data on your HD is also security related.

The sender (me) encrypts the message, sends the encrypted message, and the receiver decrypts it. Who encrypts at what stage in browsers? What can a browser do here?

What I have heard about browsers is things like leaking history and leaking address bar. These sound like things that a browser developer could manage, regardless of browser engine.

Quote from: krake on 2014-08-07, 22:51:49

Google (and other search engines) are advertising a secure connection for protecting your privacy - your searches are private, nobody knows what you are searching for

This is what I mean. "Security" and "privacy" are used so often together that it's certain that even experts don't keep them apart very well. "Security and privacy" sound to me like "terms and conditions" (which ones are the terms and which ones are the conditions?) or "preferences, options, and configuration".

Re: Security?

Reply #10 – 2014-08-08, 08:06:52

Quote from: ersi on 2014-08-08, 05:48:00

Is it the browser that determines if plain text is transmitted or is it the bank website's job to have control over what's being typed in there?

I'd say it's the bank's job. If the connection to the browser can't be made sufficiently secure because of outdated encryption methods I think they should probably just say "sorry, you're out of luck" as opposed to falling back to some easily cracked encryption. Or possibly give you the choice to continue anyway if they think it'll annoy customers too much otherwise.

Quote from: ersi on 2014-08-08, 05:48:00

This is what I mean. "Security" and "privacy" are used so often together that it's certain that even experts don't keep them apart very well. "Security and privacy" sound to me like "terms and conditions" (which ones are the terms and which ones are the conditions?) or "preferences, options, and configuration".

Security is to make sure third-parties can't intercept your connection. Or, probably more important, to make sure they can't inject what is sent to you with nasty things. This has privacy as a side-effect. They're definitely intertwined, but I don't think it's as muddled as you say.

With cookies, I'd present it something like this: cookies are in principle privacy-related only, but leaking cookies when you're on another website would be a security problem: a security issue that affects your privacy.

Re: Security?

Reply #11 – 2014-08-09, 19:10:48

Quote from: ersi on 2014-08-08, 05:48:00

The sender (me) encrypts the message, sends the encrypted message, and the receiver decrypts it. Who encrypts at what stage in browsers?

Forget about the browser, even if you are using a 'suite'. It's the built in mail/encryption modul doing the job.
It's basically not the browser who encrypts but part of the built in email modul or at least the coresponding code.
As for how email encryption and protocols for email encryption are exactly working you can find informations on the web which are more in-depth as I could explain.

Quote from: ersi on 2014-08-08, 05:48:00

What I have heard about browsers is things like leaking history and leaking address bar. These sound like things that a browser developer could manage, regardless of browser engine.

You mean probably the cascading style sheets history leak. Not an easy fix without breaking key web functionality. Mozilla promised a fix years ago. I'm not aware if it got fixed.
Some fixes are difficult or costs are considered to be not worth the benefit.
As for browser developers, there are just a few browsers left. I wouldn't consider the makers of their deviants "browser developers"

BTW, the cascading style sheets history leak isn't of big concern for me. Besides you can configure the browser (at cost of some convenience) to circumvent the leak.

Re: Security?

Reply #12 – 2014-08-23, 10:10:10

@krake, we all know that the best solution would be to simply fork some existing engine but that is simply too big task, at least for now.
Maintaining it would be big pain itself (updating from upstream and hoping that they won't remove some API / feature that we are using - all three biggest vendors do that - Apple, Google and Mozilla), and packagers wouldn't be happy too, as compilation would went from few minutes to many hours, from slightly noticeable use of RAM while building to up to few gigabytes (not everybody has dedicated machine for compiling).

We can reevaluate this in future, but for now it not an option, we have to use what is available.