lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 19 Apr 2016 07:42:22 -0700
From: David Leo <david.leo@...kbrowser.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Lock Browser 5.3 (Browser Security, Open Source, Python)

SUMMARY
This open source tool strictly controls what web browser can access, which stops web browser from loading harmful content - Phishing, Non-Secure HTTP, or whatever that's not in your whitelist.

SITUATION
"Security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successfully exploited... browsers as well as Windows, OS X, and Flash"
http://venturebeat.com/2016/03/18/pwn2own-2016-chrome-edge-and-safari-hacked-460k-awarded-in-total/

ATTACK
Attacks have to make target's browser load attacker's website, which has two scenarios - send the link(phishing), or control a website that target will visit. The latter is difficult because web servers are usually(not always) much more secure than web browsers, and attackers simply don't know which websites. The former, Phishing, is "mainstream", because it's a lot easier: the address of email sender can be faked, the content of email can look 100% legitimate and compelling, and the URL can hide behind redirection service("dereferer" of email system, t.co, or whatever).

SOLUTION
Whitelist - for example, the whitelist contains Gmail, PayPal, Chase, GitHub, and Twitter. Attacker's website is not in the whitelist, so the harmful content does not reach browser, even if some users are "stupid enough" to click links from The Phishing Guy.

URLs
Project Home Page: https://www.lockbrowser.com/
Source Code: https://www.lockbrowser.com/source/

HISTORY
It's fork of HTTPS Only released in March:
http://seclists.org/fulldisclosure/2016/Mar/77
And this is likely the last version - because the source code is so short and simple, maybe there is really no bug here! Let me hope so.

Kind Regards,


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists