![]() ![]() ![]() There is no built-in protection against cross-site scripting attacks. Intranet sites that are vulnerable to cross-site-scripting and cross-site-request-forgery are not protected from malicious Internet websites. There is no differentiation or explicit separation between Intranet and Internet web pages. The user or enterprise is not notified if updates to either the browser or the Safe Browsing list fail and so they will not be aware that it is outdated and susceptible to publically known vulnerabilities There is a risk that credentials sent using these methods could be stolen via a man-in-the-middle attack There is a risk that the blocked page will attempt to run malware, or the user will fall victim to social engineering attacks that result in identity theftīuilt-in authentication schemes such as basic and digest cannot be disabled for unencrypted requests. If a web page is deemed to be in some way malicious by the Safe Browsing online reputational service, the user can choose to ignore the warning and load the page anyway. This interaction will not be visible to the user as add-ons can work silently in the background including sending data to the Internet Such an add-in could maliciously interact with sensitive data being rendered by the browser or interfere with data on the underlying operating system. A malicious website that successfully exploits the browser renderer, JavaScript engine or a third party plugin can gain full user privilege including access to their data and web contentĪdd-ons can be manually installed by the user into their browser profile, bypassing the controls in the browser. Firefox may default to using in-built content renderers that are not sandboxed instead of sandboxed third party plugins. The Flash and Adobe Reader plugins implement their own sandbox, although this is not the case for most plugins including Java. There is a risk that secure connections may be subject to a man in the middle attack using a forged certificateįirefox does not render any web content or third party plugins in a sandbox. The browser does not support certificate pinning. There is a risk of malicious content interacting with content in HTTPS web pages if the user allows the blocked content and the user’s connection is subject to a man-in-the-middle attack Allowing mixed content breaks the security boundary between trusted and untrusted content. Mixed content is blocked by default, but can be overridden by users on a per-page basis. The following significant risks have been identified: There is no facility for the enterprise to log or collect security-related events Users can bypass controls that prevent installation of add-ons and extensionsĮxternal peripheral and sensitive API protection Users can re-enable plugins that have been disabled There is no differentiation between Internet sites and Intranet sites Mozilla does not currently offer a 64-bit application Users can override Safe Browsing warnings ![]() Firefox does not allow plugins, add-ons and extensions to be controlled using an whitelist Firefox does not render web content in a sandbox Recommendationīuilt-in authentication schemes cannot be disabled for cleartext channels See How the browser can best satisfy the security recommendations for more details about how each of the security recommendations is met. Rows marked represent a more significant risk. Explanatory text indicates that there is something related to that recommendation that the risk owners should be aware of. This browser has been assessed against each of the 12 security recommendations, and that assessment is shown in the table below. A list of allowed trusted apps and extensions can be configured in Group Policy Arbitrary third-party extension installation by users is not permitted in the browser.All Internet data should be routed through an enterprise-hosted proxy to benefit from enterprise protective monitoring and logging solutions.All data should be routed through a secure enterprise VPN to ensure the confidentiality and integrity of traffic intended for the enterprise intranet.To support these scenarios, the following architectural choices are recommended: accessing other Internet services and web resources.accessing enterprise cloud services sourced from the Digital Marketplace.accessing intranet services hosted on an enterprise-provided OFFICIAL network.Usage scenarioįirefox will be used to access a variety of web services including: ![]() This guidance was tested on 64-bit Windows 8.1 Enterprise edition running Firefox 31.1.1 ESR. This ALPHA guidance builds on the End User Devices Platform Security Guidance and is applicable to devices running Mozilla Firefox on a supported and well configured version of Windows. ![]()
0 Comments
Leave a Reply. |