Which browser is more Secure?

[JakBeNymble]

Hi "GUYS",
           With the Fire-wall I have I can set rules to pass or block anything coming and going. And I have a collection of different kinds of 'Browsers' as long as your arm. Now something I noticed is that I can block all of the UDP packets from I.E. and it won't even connect to a page, with Netscape I block it and every once in 10 pages the fire-wall catches a UDP packet trying get out, but I haven't yet found a single packet from Opera, only TCP/IP. Has anybody else checked this out? And something that I could never understand is why does a browser need to be sending/receiving UDP packets anyway??? TCP is the the connention and data transfer Protocol, and as far as I know the only thing that UDP is use for is control of packets, I.P is a connectionless Protocol, so what's up with UDP??? (Don't spare the horses, give me both barrels)
Have a Great & Wonderful Day, My Friends!
"Curious-JaK"

 

[hpguru]

Were these packets by chance directed to remote port 53? That's DNS. Your browser - any browser - must perform a DNS lookup in order to translate a domain name into an IP address it can connect to via tcp. What you should do is create a rule or two to allow udp in and out to remote port 53 from the local port range of 1024 to 5000. This rule should be defined only for your ISPs DNS server(s). If you don't do this you will completely disable your internet applications.

By the way, udp is connectionless and for the most part harmless. You can set the above rules and forget them.

In answer to your question "Which browser is more Secure?", none of them. I gave my reason for that in the thread below.


http://asp.flaaten.dk/pforum/topic.asp?ARCHIVE=&TOPIC_ID=526

Edited by - hpguru on 14 May 2002  06:22:25

[JakBeNymble]

Hi "Hpguru",
            Yelp! Some of the packets were on port 53. The rest were 1097, 1499, 2456,4801, and 4952. I had read your thread some time ago about browsers and Fire-Wall rules, and I thought that the made a lot of sense. In fact it was your post on Fire-Walls that got me to write better rules for my security system Hpguru.
Thanks for the reply, and I hope everybody will get involved and as you say "put their two cents in", however I think the things that are explored here on the FORUM are Priceless!
Glad you responded, Have a Wonderful & Delightful Day, My Friend!
"Jak"  




Edited by - JakBeNymble on 14 May 2002  07:00:18

[hpguru]

quote:
Some of the packets were on port 53. The rest were 1097, 1499, 2456,4801, and 4952.

Was the browser IE?

There is no reason why any uncompromised browser would be sending udp to those remote ports if in fact they are remote destinations and non-localhost destinations. They are however within the normal range you would expect them to originate from as they leave your system. Namely, local port range 1024 through 5000.

If they definitely were remote ports, was the "remote" address localhost? IE does a lot of chatting with the Windows OS and various processes running within Windows. This interprocess communication requires that you permit IE to "talk" on localhost via tcp and udp. There is no security risk involved in allowing this behavior. You can permit it and forget it. You can also block it if you like but you'll degrade the responsiveness of your firewall while IE (or IE shells) is/are running and slow down IE quite a bit. You may even cause IE to become unstable and crash a lot. Think about that next time you hear someone ranting about how slow or unstable IE is. Here, the only time IE6 crashes is if I made a really bad mistake in a script I'm testing. Otherwise it is solid as a rock.


Edit: I forgot to mention that if none of the above is true in your case then you need to perform an audit. You may have a trojan or a spyware module infesting your system. Do you have logs you can post?

Edited by - hpguru on 14 May 2002  07:45:35

[sidki3003]

Hi Jak

I don't see this UDP traffic with my IE6, supposed we are talking about outgoing traffic.
Local traffic is another story. IE likes to talk to itself, to its cache via UDP to be exact.
Do you have a loopback rule (allow TCP/UDP localhost:"port range" to localhost:"port range") set up in your firewall?

regards, sidki

 

[sidki3003]

Oops, i just see my last post is redundant

 

[JakBeNymble]

Hi Guys,
       The UDP packets are from the Netscape browser. Everytime I launch it after I close it completely out, it sends a packet on a different port. Opera doesn't do this at all, and I.E. 6 won't run at all if I block UDP.

I do have a problem on my machine, it's not the browsers, but I think they are related. It is a problem that not only me, but others have been having. For about 4 minutes after boot-up, windows explorer, not InterNet Explorer, trys to connect to a certain site that I won't reveal at this time for obvious reasons. It was discussed in a thread at the "Dsl-reports" site. Right now I can't find the thread, but if I find it I will post the link to it. Some thought it is a "glitch", some thought it was a trogan. I think it's a trogan. I banned the site's I.P it was trying to connect to, and resolve it to local-machine in the host file, and added the URL to Proxo's URL Killer/Ad list. My thinking is if it is a glitch, why is it always the same IP, why does it hide when you do the "3-fingered salute"(ctrl-Alt-Delete)to see what's running in the back-ground? It will start back as soon as you close the dialog box and will continue to try to connect to that IP. No Anti-virus can find it, the lastest Ad-Aware can't find, and The Cleaner can't either. There is no way it can connect right now, and soon I plan to re-format and as I install programs, I'm going to stop and check one by one to see if it was in a program that I use, or some "Snoopy-DOG" got to me while back. I hope I can find the Thread about this problem, because in every reported case it's the same I.P that Windows Explorer trys to connect to.

But when I boot-up and see that Fire-Wall warning me of that Ingeniusously Insidious little "Nasty", it is a constant re-minder of what a Jungle the Net can be, especially if you want some privacy! Not doing anything wrong, or illegal, or even un-ethical, just private! And it gives me one more reason to check My Logs!

I hope that You All Have a Wonderful & Delightful Day, My Friends!
"Jak"

 

[hpguru]

If you have a trojan, spyware app or BHO one of the following should help you to find it.

System Safety Monitor
http://www.webattack.com/get/systemsafety.shtml

RegRun3
http://www.greatis.com/regrun3.htm

Tiny Trojan Trap
http://www.tinysoftware.com/home/tiny2?s=9107547958550638712A0&pg=trap_high

I use RegRun and I've tried System Safety Monitor (SSM). SSM is extremely aggressive. Don't run it while installing software. If you run it after installing your wares you'll need to be quick on the draw to prevent it from deleting the newly created registry keys.

I haven't yet tried TTT but I've been hearing good things about it.



Edited by - hpguru on 14 May 2002  23:27:48

[JakBeNymble]

Hi "Hpguru",
           Thank You My Friend! I will check it out for sure!

"GOOD HOME PAGE" HpGuru.
May GOD Bless You Richly, My Friend!
"Thankful-JaK"

 

[Seeker]

JAK,

The best trojan detection program that I know of is called the "Trojan Defense Suite, or TDS3".  It is not free, but it does have a 30 day evaluation period.  That is okay with me, because the only problem that I had with it is that it associated itself with files all over the computer, so I only install it when I think there may be a problem.  This program performs just about every kind of conceivable test, and does not rely just on what the programmers have deemed necessary to include in a detection routine, like Ad Aware, etc.

"Let every man be swift to hear, slow to speak, slow to wrath"

James 1:19 <><

Edited by - seeker on 15 May 2002  07:01:35