Section 6.1 Configuring Netscape for Higher Security

6.1 Configuring Netscape for Higher Security

Although Netscape certainly is not an advanced topic, worrying about its security aspects might be. Certainly many SysAdmins do not give it a second thought. The first thing to do is to upgrade Netscape if you have old versions of it on your system. Older versions have a variety of security problems. "Upgrade Netscape" on page 113 discusses this. There are some safeguards in Netscape and these are documented on Netscape's site.

6.1.1 Important Netscape Preferences

Everyone should select a few preferences in the name of security. The first set to consider are in the Advanced screen. To get here from the main display, the click sequence is

 EditPreferencesAdvanced 

Once here, click as appropriate. Then click OK to save the changes or Cancel to chicken out.

6.1.1.1 Cookie Control

The first set of options concern cookies. As the term is interpreted in Netscape, it is an ASCII string that a Web site will ask a browser to store on its disk for up to a specified length of time. This length of time is the cookie's "persistence."

Some cookies are intended only for the duration of your current shopping spree. Others are permanent and contain your account number. This is how Amazon knows who you are when you return.

Note that Amazon is very security wise. When you enter its site, it will use the cookie to recognize you and personalize searches and such and save you the trouble of entering your account number. However, it will not let you order books or change your shipping or mailing address without your entering your password. It will not ask for your password until it has started a secure encrypted connection with https (SSL-wrapped http).

This cookie cleverness works even when a whole organization operates behind a proxy server like the SOCKS proxy server running on the firewall. It is mentioned in "Blocking External Evil" on page 528. Recall that though the server can determine the IP address of the machine that the request comes from (which would be the proxy server if one is used), there is absolutely no way for it to determine the account used.

Because each user on a Linux system has her own cookie file ($HOME/.netscape/cookies), Web servers do not confuse different users on the same machine.

The first preference that everyone should select is

 Only accept cookies originating from the same server as the page being viewed 

This protects you against rogue cookies on digest pages and similar pages that are built up from data submitted by those who might not be trusted, even if the site hosting the digest is honest (but not extremely careful). By digest pages, it is meant pages that are digests, or compilations, of text sent in by a number of people; some of these people may be crackers planting Trojans.

Another useful feature for some is

 Warn me before accepting a cookie 

This will help you to learn who is watching you. Many e-commerce sites will store a short term cookie containing your session ID. This may be thought of as your shopping cart number so that it can keep track of items that you are tossing into it. Most will time out and be removed within an hour or so.

Recall that a connection between your browser and the server is a TCP connection that is not persistent; it exists only as long as it takes to download the particular page or image or upload a filled-in form. The session cookie allows the server to associate your current session with its database containing your shopping cart.

Some sites make excessive use of cookies. If you use one of these frequently, you might not want this "Warn me" option.

6.1.1.2 Java Control

If you want to try turning off Java or JavaScript in Netscape to see if you can live without them, in the Advanced screen click the Enable Java and Enable Java Script buttons so that they no longer are depressed.

6.1.1.3 Application Control

In the easy-to-use and universal categories, Netscape wins. It knows how to process dozens of kinds of pages. Besides HTML, text, several kinds of graphics, and sounds, it can process troff, PostScript, MS Word, and WordPerfect documents, both Bourne and C shell scripts, and Perl scripts.

How does it process these types of files? It just invokes the appropriate program, such as /bin/sh, to process the file if enabled. Do you really want Netscape to just execute arbitrary shell or Perl scripts? Recall, too, that troff documents can include shell escapes, as can PostScript, and MS Word has that dangerous macro capability that has launched many a virus. A solution for Word document macro viruses is the use of Star Office or equivalent.

While it would be cool and convenient to have these data types automatically "fire up," tripping over one cracker's page among the thousands of pages your users view yearly is not worth the risk. To view Netscape preferences the click sequence is

 EditPreferences 

Then click the ">" symbol to the left of Navigator so that it changes to "v" and click Applications. You then may scroll through the list and observe what has been selected. To remove any dangerous ones click the item and Edit. Then click something else. The dangerous ones are any that allow an attacker to execute arbitrary commands on your system or copy arbitrary files to it. If in doubt about the danger of a service, click it to instead cause it to be saved to disk for inspection. The ones suspected of being the most dangerous are listed in Table 6.1.

^[*] Denotes names beginning with this sequence.

The Save To Disk button will allow you to inspect a script prior to running it. If it might be a rogue Word document, copy it to floppy and ask your most annoying user to print it on her system. If her system gets "toasted," do apologize profusely. (Do not really do that.)

6.1.1.4 History Control

Netscape keeps a history of sites visited, typically in the last 30 to 90 days. Although this can be useful if you cannot remember the URL for that cool security site, this can cause problems too. You might not want evidence left of that site you visited that makes fun of your boss's political party. Another concern is that some badly designed Web sites that accept confidential data from you will use an ordinary form to encode that data as part of the URL. Later, anyone who can access your account can see that data.

Note that another danger with confidential data getting encoded in the URL is that if you then click a hyperlink on the subsequent page, this URL becomes the "referring URL" and will be supplied as such to that subsequent site. That subsequent site then will see your confidential data and it will be stored in its server logs. If that site's SysAdmin or Webmistress or programmer is dishonest, or the security is weak, anyone can see this data.

This data could be your credit card number. It might be some of your financial information from that site that offered "confidential" advice. (This problem has been observed on the sites of some large companies that really should know better.) It might be medical information from an insurance company that offered over-the-Web quotes on health or life insurance. It might just be a part of a user's life that she prefers to keep private.

Unlike the preferences and applications files, the history file, .netscape/history.db, is in a binary format (Berkeley DB Hash) that precludes editing with a text editor. The only choices you have are to limit the number of days that history is preserved or click the Clear History button. Both are on the screen that you click to via

 EditPreferencesNavigator 

Also, there is a separate history file called $HOME/.netscape/history.list. This is an ASCII file that defaults to mode 644 that holds the most recent history that is available with the menu attached to the button to the right of the URL window. This file is used to remember this history across Netscape invocations. Normally, this file will not be viewable by others because $HOME/.netscape is mode 700, but changing the history file's mode to 600 would be a fine idea all the same.

6.1.2 Snatching Your Own Cookies

Everyone should review what cookies are stored in their Netscape cookie jar. It is a text file so have a look. This file may vary, but for version 4.* try the following:

 more $HOME/.netscape/cookies 

If you see any unencrypted passwords that you consider confidential (or other confidential data that you do not want to remain in an unencrypted form) you should probably remove them. First ensure that Netscape has terminated (so it will not overwrite your work) and then edit the file and delete the appropriate lines.

Some sites are so naive about security that they store your unencrypted password to their site right in your cookie jar where anyone who can read your files might see it and make use of your account and charge merchandise to your card. In checking my cookie jar, I noticed that one site stored my complete home mailing address on one of my office systems. I did not appreciate that.

If you are like most people, you cannot remember dozens of passwords. Instead, you probably have a small set of passwords that you use everywhere. This poses the danger of someone compromising your account and snatching your password to an e-commerce site. This is scary stuff.

6.1.3 Your Users' Netscape Preferences

Depending on organizational policies and the criticality of user accounts you might want and need to monitor or control your users' settings. This is a very sensitive area and many employees now consider Web access their right or company benefit.

On the other hand, if their accounts can alter the course of ships or airplanes, you might want to give them the choice of no Netscape or Netscape with your locking the settings.

If your users have shell access and are Linux knowledgeable, the only real way to lock the settings in is to have their login directories be owned by root instead of them and mode 755, have the sticky bit set on their .netscape directories (via chmod +t /home/*/.netscape), and have their preferences files read-only and owned by root.

 chmod 644 /home/*/.netscape/preferences* chown root /home/*/.netscape/preferences* 

This is too Draconian for most installations.

Certainly, you can check for dangerous preferences by searching users' preferences files either for keywords for the types of dangerous file types or by comparing to a template with the diff program. This could be done out of the root crontab.

Invocation of this check could go in the system shell startup scripts, /etc/profile and /etc/csh.login, and send e-mail both to root and to the particular user with the problem.

6.1.4 The Netscape Personal Security Manager

It has been reported that Netscape offers an add-on called the Netscape Personal Security Manager (PSM) that offers additional security when using the browser. It is part of Netscape 6 and Mozilla, the open-source Netscape. This author did not see much functionality in it, but it may be downloaded from

www.iplanet.com/downloads/download/detail_128_316.html

6.1.5 Netscape Java Security

Almost everyone uses Netscape with Java enabled, but few know what a Java Applet, automatically downloaded from a random Web site, is or is not capable of doing on their own systems. Even the author did not know until spending significant time researching it while preparing this book.

When a Web page has Java code, Netscape downloads it as an Applet. This is a piece of code (a small application) that Netscape runs, something like a subroutine. Instead of it being written in machine code that would allow it to do anything, the code is interpreted by Netscape.

This interpreted language has a carefully thought-out security model (design). Unless you give special permission, Java Applets downloaded from the Web are not allowed to access your files on your hard disk for either reading or writing or even determining if a file of a given name exists.

Thus, it is not possible for a hostile Java Applet to steal your confidential data on disk or alter or remove it. An Applet is not allowed to initiate networking with any system other than the one that it was downloaded from. (Internet Explorer's Java Applet security policy is very different.)

A downloaded Applet is allowed to send data to /dev/audio to generate sounds. Although there is no mention of reading /dev/audio, I assume that the security model prevents an Applet from listening from your system's microphone or seeing images from any Web cam.

If you follow the advice in "Stopping Access to I/O Devices" on page 268 by setting the permissions on /dev/audio to 622 (and do not run Netscape from root), you are guaranteed to prevent any Applet or any other program from accessing the microphone.

Sun's Java Security FAQ and Java Security page are quite informative; they are available at

http://java.sun.com/sfaq/

http://java.sun.com/security/

There are some security bugs, though. A Java Applet can determine if any given file name exists on your system. This could be used for "Market Research" by seeing what applications are loaded. The Rogue Applet I used did generate a pop-up error box for those files that did not exist. This might alert someone to high jinks.

A hostile Applet can fill up your disk, creating a DoS. It can crash Netscape. Crashing Netscape does not require a lot of talent; the Blackdown Java plugin helps reduce this problem a lot. This plugin is available at

www.blackdown.org/

Worse, an Applet can generate e-mail to other systems that shows as originating from your system. A truly evil Applet could use this feature to send threatening e-mail to President@whitehouse.gov and get you a visit from the U.S. Secret Service.

An Applet can determine your system's host name and IP address even if it is behind a firewall. It had no trouble penetrating my firewall to determine this! Do not believe me, though. Try it yourself by heading over to

www.rstcorp.com/javasecurity/applets.html

www.rstcorp.com/javasecurity/complete.html

The first URL contains links to the hostile Applets discussed above. Next to each link is an explanation of what the Applet will do, so you may decide if you want to try it. This is not a cracker site. It is the site of someone disputing the claims of Java being totally secure. I verified all of them on Netscape 4.61.

It has been reported that the U.S. military disallows the use of Java in the browsers on military equipment.

The preceding discussion applies to the random "untrusted" Java-enabled and JavaScript-enabled Web pages you encounter. You can designate particular Java Applets as "trusted." This can only be done explicitly by accepting their certificates. This is similar to the SSL PKI (Secure Socket Layer Public Key Infrastructure) certificate used for https except that you need to explicitly accept the Java certificate. A trusted Java Applet can do almost anything that any other program running on your system can do.

See also "Protecting User Sessions with SSH" on page 409 and "Understanding Public Key Infrastructure (PKI) Video" on page 759.