By: Kurt Seifried, [email protected], Copyright Kurt Seifried, 2001
There are many browsers, each with their own idiosyncrasies and "features". Some papers of interest:
Sotiris Ioannidis and Steven M. Bellovin, "Building a Secure Web Browser", Usenix Conference, June 2001
http://www.research.att.com/~smb/papers/sub-browser.ps
http://www.research.att.com/~smb/papers/sub-browser.pdf
7.1 Microsoft
Microsoft Internet Explorer is one of the most popular browsers (well maybe not, but it's one of the most prolific). As such there are some "features" it possesses that you should be aware of if you have users that will be using it to access your web site (and authenticate to it).
7.1.1 Microsoft Internet Explorer 4.x
This browser is largely obsolete now with the wide acceptance of 5.x and the release of 6.0.
http://www.microsoft.com/windows/ie/default.htm
http://www.microsoft.com/windows/ieak/default.asp
7.1.2 Microsoft Internet Explorer 5.x and 6.x
MSIE 5.x offers a lot of new features for browsing content offline, and remembering form input and passwords. This of course makes life much more difficult from a security perspective since by default when you enter username and password (using HTTP) it prompts you if you wish to save them, many people will, or worse yet public access machines might. The next time you go to that page it automatically logs you in. In addition to this there is a feature to remember form input, so even if you secure the pages via a CGI there is a good chance the username and password put into the form will be remembered. Users at home, and users of public terminals (libraries, kiosks, etc.) have to assume that these "features" are enabled. This rules out the usage of HTTP based authentication (typically used to secure directories), since there is a good chance it will be cached, and there is no work around available for it. Using forms to accept data, and a CGI program to process the input and grant/deny access is a better solution, even though MSIE can cache form input, there is a better chance this feature will be disabled, and if not there is a work around. You can disable this in the form by putting: "AUTOCOMPLETE="OFF"" in the form tag, such as:
<FORM method=post action="submit.asp" AUTOCOMPLETE="OFF">
This is covered at:
Also MSIE associates the form data with the URL, so by manipulating the URL you can prevent the browser from prompting a user with the last username and password used (although that data might still be stored internally). Simply build a welcome screen (with a warning banner "no unauthorized users" and a login button), they hit the login button and a CGI script generates a page with a long, unique URL (based on time, client address, random string, hash it all using MD5 or something) and cache that URL for a few minutes in a table (giving the user several minutes to login). Flush the URL from the table once used or expired and the chances of someone going to the login screen, and getting the same URL (and hence the browser providing them the data in a friendly manner) are remote. This method also effectively prevents people from bookmarking the actual login screen where data is entered (not a great security feature but a minor help), and depending on exact configuration could also significantly slow down brute force password guessing attacks.
http://www.microsoft.com/windows/ie/default.htm
http://www.microsoft.com/windows/ieak/en/default.asp
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/behaviors/reference/behaviors/userData.asp
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/behaviors/reference/behaviors/savesnapshot.asp
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/persistence/overview.asp
Of course some users may complain about the "save password" check box not being available, this can be due to users not logging in properly to their workstations and is covered in detail at:
http://support.microsoft.com/support/kb/articles/q137/3/61.asp
For IE 6.0 MS has created "smart tags", these are html hyperlinks inserted into the document on the client side. You should be able to prevent them with the following tag in each document that you wish to "protect":
<meta name="MSSmartTagsPreventParsing" content="TRUE">
All references to this tag have been obliterated from the Microsoft site. Url's such as:
http://www.microsoft.com/windows/ie/preview/smarttags/default.asp
no longer work.
7.2 Netscape
7.2.1 Netscape Navigator / Communicator 4.x
No notes yet.
http://www.netscape.com/
http://developer.netscape.com/
7.2.2 Netscape Navigator / Communicator 6.x
No notes yet.
7.3 Mozilla
7.3.1 Mozilla 0.9x
No notes yet
7.4 Opera
7.4.1 Opera 3.60
No notes yet.