Why should a browser's security be prioritized?

Clash Royale CLAN TAG#URR8PPP

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;

up vote
17
down vote

favorite

2

From this answer about browser security:

time to update if you really care about security

So if every other software and functions I need can work on a 32-bit OS, I guess the only reason for upgrade is the browser's security? Can you explain why browser security should be placed on the top priority, when:

• Most of the websites I visit have SSL certificate,


• Most of them are either big enough that I can trust that they can't be hacked, or small enough that I don't think it's profitable for the hackers,


• Windows and Windows Defender are up-to-dated,


• I can smell fishy websites?

I hope that this is not the overconfidence effect. And I hope that I'm not overconfident that I don't have overconfidence effect.

As always, a statistics or a case study may increase the transparency and trust-ability of the answer.

tls web-browser

share|improve this question

edited 15 mins ago

Peter Mortensen

66448

asked yesterday

Ooker

473511

• 
  
  
  

  
  46
  

  
  
  
  
  
  

  
  "I can smell fishy websites?" When you really do not care about browser security, you possibly can't. Think of an outdated browser with a bug which allows an attacker to hide parts of the URL (e.g. using some right-to-left unicode characters or similar attacks). So you actually need the secure browser before you have the chance to smell fishy websites.
  – allo
  yesterday
  

  
  
  
  


• 
  
  
  

  
  10
  

  
  
  
  
  
  

  
  Just look up malware distribution via rogue ads for example - even via otherwise trustworthy established advertisement networks. - An old browser can contain a critical bug that enables such an exploit where a newer browser may be patched.
  – DetlevCM
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  "I leave my front door open when I go out because I live in a safe neighbourhood"? People who "really care about security", as per the quote, take every precaution (but no-one's forcing you to be one of those people).
  – NotThatGuy
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  Your comment, "are most attacks now come from JavaScript? or SQL?", shows a lack of fundamental knowledge about these platforms. Until you learn much more, I suggest you take general advice from the infosec community at face value.
  – Duncan X Simpson
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  "websites I visit have SSL certificate" - don't let this fool you. I have seen rather big retailers where credit card and address webform had a valid certificate, but when processed on the server the info was forwarded via email (and printed out for the accounting department) and also ended up in the servers log files and database - all in plain text!
  – iHaveacomputer
  21 hours ago
  

  
  
  
  

 | 
show 1 more comment

up vote
17
down vote

favorite

2

From this answer about browser security:

time to update if you really care about security

So if every other software and functions I need can work on a 32-bit OS, I guess the only reason for upgrade is the browser's security? Can you explain why browser security should be placed on the top priority, when:

• Most of the websites I visit have SSL certificate,


• Most of them are either big enough that I can trust that they can't be hacked, or small enough that I don't think it's profitable for the hackers,


• Windows and Windows Defender are up-to-dated,


• I can smell fishy websites?

I hope that this is not the overconfidence effect. And I hope that I'm not overconfident that I don't have overconfidence effect.

As always, a statistics or a case study may increase the transparency and trust-ability of the answer.

tls web-browser

share|improve this question

edited 15 mins ago

Peter Mortensen

66448

asked yesterday

Ooker

473511

• 
  
  
  

  
  46
  

  
  
  
  
  
  

  
  "I can smell fishy websites?" When you really do not care about browser security, you possibly can't. Think of an outdated browser with a bug which allows an attacker to hide parts of the URL (e.g. using some right-to-left unicode characters or similar attacks). So you actually need the secure browser before you have the chance to smell fishy websites.
  – allo
  yesterday
  

  
  
  
  


• 
  
  
  

  
  10
  

  
  
  
  
  
  

  
  Just look up malware distribution via rogue ads for example - even via otherwise trustworthy established advertisement networks. - An old browser can contain a critical bug that enables such an exploit where a newer browser may be patched.
  – DetlevCM
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  "I leave my front door open when I go out because I live in a safe neighbourhood"? People who "really care about security", as per the quote, take every precaution (but no-one's forcing you to be one of those people).
  – NotThatGuy
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  Your comment, "are most attacks now come from JavaScript? or SQL?", shows a lack of fundamental knowledge about these platforms. Until you learn much more, I suggest you take general advice from the infosec community at face value.
  – Duncan X Simpson
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  "websites I visit have SSL certificate" - don't let this fool you. I have seen rather big retailers where credit card and address webform had a valid certificate, but when processed on the server the info was forwarded via email (and printed out for the accounting department) and also ended up in the servers log files and database - all in plain text!
  – iHaveacomputer
  21 hours ago
  

  
  
  
  

 | 
show 1 more comment

up vote
17
down vote

favorite

2

up vote
17
down vote

favorite

2

2

From this answer about browser security:

time to update if you really care about security

So if every other software and functions I need can work on a 32-bit OS, I guess the only reason for upgrade is the browser's security? Can you explain why browser security should be placed on the top priority, when:

• Most of the websites I visit have SSL certificate,


• Most of them are either big enough that I can trust that they can't be hacked, or small enough that I don't think it's profitable for the hackers,


• Windows and Windows Defender are up-to-dated,


• I can smell fishy websites?

I hope that this is not the overconfidence effect. And I hope that I'm not overconfident that I don't have overconfidence effect.

As always, a statistics or a case study may increase the transparency and trust-ability of the answer.

tls web-browser

share|improve this question

edited 15 mins ago

Peter Mortensen

66448

asked yesterday

Ooker

473511

From this answer about browser security:

time to update if you really care about security

So if every other software and functions I need can work on a 32-bit OS, I guess the only reason for upgrade is the browser's security? Can you explain why browser security should be placed on the top priority, when:

• Most of the websites I visit have SSL certificate,


• Most of them are either big enough that I can trust that they can't be hacked, or small enough that I don't think it's profitable for the hackers,


• Windows and Windows Defender are up-to-dated,


• I can smell fishy websites?

I hope that this is not the overconfidence effect. And I hope that I'm not overconfident that I don't have overconfidence effect.

As always, a statistics or a case study may increase the transparency and trust-ability of the answer.

tls web-browser

tls web-browser

share|improve this question

edited 15 mins ago

Peter Mortensen

66448

asked yesterday

Ooker

473511

share|improve this question

edited 15 mins ago

Peter Mortensen

66448

asked yesterday

Ooker

473511

share|improve this question

share|improve this question

edited 15 mins ago

Peter Mortensen

66448

edited 15 mins ago

Peter Mortensen

66448

edited 15 mins ago

Peter Mortensen

66448

66448

asked yesterday

Ooker

473511

asked yesterday

Ooker

473511

asked yesterday

Ooker

473511

473511

• 
  
  
  

  
  46
  

  
  
  
  
  
  

  
  "I can smell fishy websites?" When you really do not care about browser security, you possibly can't. Think of an outdated browser with a bug which allows an attacker to hide parts of the URL (e.g. using some right-to-left unicode characters or similar attacks). So you actually need the secure browser before you have the chance to smell fishy websites.
  – allo
  yesterday
  

  
  
  
  


• 
  
  
  

  
  10
  

  
  
  
  
  
  

  
  Just look up malware distribution via rogue ads for example - even via otherwise trustworthy established advertisement networks. - An old browser can contain a critical bug that enables such an exploit where a newer browser may be patched.
  – DetlevCM
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  "I leave my front door open when I go out because I live in a safe neighbourhood"? People who "really care about security", as per the quote, take every precaution (but no-one's forcing you to be one of those people).
  – NotThatGuy
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  Your comment, "are most attacks now come from JavaScript? or SQL?", shows a lack of fundamental knowledge about these platforms. Until you learn much more, I suggest you take general advice from the infosec community at face value.
  – Duncan X Simpson
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  "websites I visit have SSL certificate" - don't let this fool you. I have seen rather big retailers where credit card and address webform had a valid certificate, but when processed on the server the info was forwarded via email (and printed out for the accounting department) and also ended up in the servers log files and database - all in plain text!
  – iHaveacomputer
  21 hours ago
  

  
  
  
  

 | 
show 1 more comment

• 
  
  
  

  
  46
  

  
  
  
  
  
  

  
  "I can smell fishy websites?" When you really do not care about browser security, you possibly can't. Think of an outdated browser with a bug which allows an attacker to hide parts of the URL (e.g. using some right-to-left unicode characters or similar attacks). So you actually need the secure browser before you have the chance to smell fishy websites.
  – allo
  yesterday
  

  
  
  
  


• 
  
  
  

  
  10
  

  
  
  
  
  
  

  
  Just look up malware distribution via rogue ads for example - even via otherwise trustworthy established advertisement networks. - An old browser can contain a critical bug that enables such an exploit where a newer browser may be patched.
  – DetlevCM
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  "I leave my front door open when I go out because I live in a safe neighbourhood"? People who "really care about security", as per the quote, take every precaution (but no-one's forcing you to be one of those people).
  – NotThatGuy
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  Your comment, "are most attacks now come from JavaScript? or SQL?", shows a lack of fundamental knowledge about these platforms. Until you learn much more, I suggest you take general advice from the infosec community at face value.
  – Duncan X Simpson
  22 hours ago
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  "websites I visit have SSL certificate" - don't let this fool you. I have seen rather big retailers where credit card and address webform had a valid certificate, but when processed on the server the info was forwarded via email (and printed out for the accounting department) and also ended up in the servers log files and database - all in plain text!
  – iHaveacomputer
  21 hours ago
  

  
  
  
  

46

46

"I can smell fishy websites?" When you really do not care about browser security, you possibly can't. Think of an outdated browser with a bug which allows an attacker to hide parts of the URL (e.g. using some right-to-left unicode characters or similar attacks). So you actually need the secure browser before you have the chance to smell fishy websites.
– allo
yesterday

"I can smell fishy websites?" When you really do not care about browser security, you possibly can't. Think of an outdated browser with a bug which allows an attacker to hide parts of the URL (e.g. using some right-to-left unicode characters or similar attacks). So you actually need the secure browser before you have the chance to smell fishy websites.
– allo
yesterday

10

10

Just look up malware distribution via rogue ads for example - even via otherwise trustworthy established advertisement networks. - An old browser can contain a critical bug that enables such an exploit where a newer browser may be patched.
– DetlevCM
yesterday

Just look up malware distribution via rogue ads for example - even via otherwise trustworthy established advertisement networks. - An old browser can contain a critical bug that enables such an exploit where a newer browser may be patched.
– DetlevCM
yesterday

1

1

"I leave my front door open when I go out because I live in a safe neighbourhood"? People who "really care about security", as per the quote, take every precaution (but no-one's forcing you to be one of those people).
– NotThatGuy
yesterday

"I leave my front door open when I go out because I live in a safe neighbourhood"? People who "really care about security", as per the quote, take every precaution (but no-one's forcing you to be one of those people).
– NotThatGuy
yesterday

4

4

Your comment, "are most attacks now come from JavaScript? or SQL?", shows a lack of fundamental knowledge about these platforms. Until you learn much more, I suggest you take general advice from the infosec community at face value.
– Duncan X Simpson
22 hours ago

Your comment, "are most attacks now come from JavaScript? or SQL?", shows a lack of fundamental knowledge about these platforms. Until you learn much more, I suggest you take general advice from the infosec community at face value.
– Duncan X Simpson
22 hours ago

6

6

"websites I visit have SSL certificate" - don't let this fool you. I have seen rather big retailers where credit card and address webform had a valid certificate, but when processed on the server the info was forwarded via email (and printed out for the accounting department) and also ended up in the servers log files and database - all in plain text!
– iHaveacomputer
21 hours ago

"websites I visit have SSL certificate" - don't let this fool you. I have seen rather big retailers where credit card and address webform had a valid certificate, but when processed on the server the info was forwarded via email (and printed out for the accounting department) and also ended up in the servers log files and database - all in plain text!
– iHaveacomputer
21 hours ago

 | 
show 1 more comment

7 Answers
7

active

oldest

votes

up vote
88
down vote



accepted

Can you explain why browser security should be placed on the top priority ...

Because the browser is processing lots of untrusted content from the internet.

Of course, if you use any other programs which does this (like Mail client, maybe Office program, PDF reader) you should keep these updated too since vulnerabilities in these programs are a regular attack vector too.

.. Most of the websites I visit have SSL certificate,

A SSL certificate says nothing about the trust you can have in a site. HTTPS only protects against sniffing modification of the traffic during transport. A HTTPS site can serve malware as much as a plain HTTP site can do.

Apart from that "Most of the websites" is not the same as "All of the websites".

I can smell fishy websites?

Even if you might be confident in your ability to sniff websites where the URL looks fishy (which might actually be overconfidence) I'm pretty sure that you will not know up-front if the site you visit regularly got hacked and is serving malware (i.e. Watering hole attack or other kinds of hacking high-reputation sites to increase number of victims) or if it is serving malicious ads which are outside the control of the website itself (i.e. Malvertising).

EDIT:

After I've wrote my answer the OP added the following to the question:

Most of them are either big enough that I can trust that they can't be hacked, ...

Too big to be hacked? While large web sites usually employ better security than smaller ones it does not mean they are unhackable. And sites with lots of customers are especially a lucrative target for the attackers since this also means lots of potential victims. Some examples:
... malicious ads on Forbes ... or ... New York Times and BBC hit by 'ransomware' malvertising or Study: One-third of top websites vulnerable or hacked.

... or small enough that I don't think it's profitable for the hackers, ...

Too small to be hacked? That's not true either: attackers use automated tools to hack insecure CMS installations like WordPress or Django en mass, i.e. it is very cheap to take over a vulnerable site this way.

share|improve this answer

edited yesterday

answered yesterday

Steffen Ullrich

106k10182246

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  FWIW, even if you trust a site that you visit regularly, it could get hacked and then your browser (and antivirus) are your only hopes.
  – aslum
  yesterday
  

  
  
  
  


• 
  
  
  

  
  17
  

  
  
  
  
  
  

  
  @Ooker: "do you have any introductory resources so that I can appreciate the threats more?" - The links I have in my answer should provide you already with further information. If you need more please be specific what kind of information you are looking for.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  many people thought that when they visit a website without downloading any binary files or clicking any suspicious links they're safe. But in fact pretty much any websites have a lot of JavaScript files which run without user permission and they can use some browser bug to escape the sand box and steal sensitive data. One example is at the begin of this year all major browsers have to decrease the timer solution to fix the Meltdown and Spectre bug
  – phuclv
  yesterday
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  @Ooker: This is a different question from your original one so I will not give a deep answer. In short: know you risk and deal with it, either by trying to reduce your risk of being attacked (adblocker, update, maybe new laptop, maybe new OS on old laptop...) or by reducing the impact of being attacked (regular backups of important data, make sure to not affect other systems in your network like the router..). It is also acceptable to knowingly treat the risk as low enough and hope nothing will ever happen.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  @Ooker you say you want a risk assessment. Ok. Risk is broadly a function of likelihood and impact. All of your doubts in your question are about the likelihood. While Steffen's answer explains the likelihood quite well, only you can determine the impact of a complete system compromise. What's on your machine? What does your machine have access to? What mitigations do you have in place? Can you re-image the machine quickly? Do you use an updated anti-virus? Do you limit what DNS requests can be made from the machine?
  – schroeder♦
  yesterday
  

  
  
  
  

 | 
show 5 more comments

up vote
11
down vote

Not all the websites you visit have certificates. You can’t smell fishy websites. Certificate doesn’t mean the site isn’t trying to hack you.

The browser is the biggest attack vector against your computer. It will tend to run unvetted JavaScript code at least, and god knows what else. It constantly processes data from untrusted sources.

share|improve this answer

answered yesterday

gnasher729

1,236512

• 
  
  
  

  
  

  
  
  
  
  
  

  
  are most attacks now come from JavaScript? or SQL?
  – Ooker
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  12
  

  
  
  
  
  
  

  
  @Ooker SQL isn't processed on your device. It may be used internally by the web app, but it never leaves the server. SQL injection attacks (which you're probably referring to) are a threat to servers, not clients (but compromised server can be reconfigured to act maliciously on clients).
  – gronostaj
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Just because a piece of client software exposes an exploit which is executed on a server rather than in the client doesn't mean that the user isn't at risk.
  – Beanluc
  21 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Beanluc Yes, but most of that impact will not be mitigated by an updated browser. The major exception would be injecting code/markup in the site itself, of course.
  – Luaan
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Of course. We're talking about a NOT-updated browser, aren't we.
  – Beanluc
  4 hours ago
  

  
  
  
  

 | 
show 1 more comment

up vote
8
down vote

Each of your statements is making a false assumption here:

Most of the websites I visit have SSL certificate.

This is great, but SSL/TLS only protects you against certain types of attacks.

Pretty much, a site having a (valid) TLS certificate simply means that the owner of that website has in some way proven ownership of the domain name that is used to access the site, possibly spending a very large amount of money to do so (or possibly spending none). Usually, this means that you can trust that the site is who they say they are, barring domain spoofing (which I will cover in response to your third point). However, it may not mean that (see for example the fiasco that got everything issued by Symantec revoked/untrusted earlier this year). So, a TLS certificate really just verifies site ownership, not that the site is legitimate or that they are doing what they say they are.

TLS certificates give one more protection benefit, they let you use HTTPS. HTTPS provides exactly two types of protection if it's used correctly:

• It provides a reasonably high level of confidence that the data you are receiving is the same data that the web server sent. This is important for ensuring that nothing has been added to or removed from the site by a third party while it was in transit to you.


• It provides a reasonably high level of confidence that the data you are transferring is not visible in-transit to third-parties. This is the reason it's so important to ensure that any site you provide a password or personal data to uses HTTPS.

This still leaves you open to quite a few attacks. The most obvious is for the web server to be hacked (or the CDN if they're using one). There are others too, like XSS attacks, malicious advertisements (think of all the perfectly legitimate sites out there that have hidden auto-redirects to malicious sites because of the ads they use), and attacks on TLS itself (such attacks are why no sensible operator still uses SSLv2 or SSLv3, both are known broken). So, HTTPS/TLS/SSL by itself is not rigorous protection.

Also, as you yourself said, most of the websites you visit use TLS, not all of them. Think very hard about whether you really should trust those other sites that aren't using it, if they aren't willing to take the five minutes to set their servers up with free certificates from LetsEncrypt, what other aspects of security are they cutting corners on?

Most of them are either big enough that I can trust that they can't be hacked, or small enough that I don't think it's profitable for the hackers.

Have you not watched any news for the past decade? Just in terms of public disclosures, there are dozens of known attacks on sites with well over 100 million users (that's a big site by most people's definitions, as 100 million is more than 1% of the world population, and probably closer to 3-4% of the total number of people on the internet). I suggest taking a look at the list of public breaches on Have I Been Pwned?, there are quite a few big names on there, including ones which handle very sensitive data (Experian for example). So, no, it's not realistic to expect something to be 'too big to be hacked'. In fact, big sites are some of the most attractive targets for attackers, because they have lots of users. They also have a notoriously bad track record for publicly disclosing security breaches (they have more incentive not to, as they have more potential customers to lose).

On the other side of things, small sites are easy targets, even if not attractive. If you think of big sites as high risk investments for hackers, small ones are low-risk investments. They may not give as much in the way of returns, but they often will give much more consistent returns, so they're still attractive targets.

Also, consider that quite often attackers are targeting software that is vulnerable, not necessarily specific sites. WordPress is a good example, as it's used on sites both big and small, and it's been successfully used multiple times in the past as an attack vector.

I can smell fishy websites

First off, just because a site isn't 'fishy' doesn't mean it's not a threat. There are also quite a few legitimate sites that look 'fishy' by many people's definitions.

Second, it's not hard to copy a legitimate site but still do illegitimate things with the result. Domain spoofing, in it's various forms, is often used for this. There was a rather good blog post on a big infosec site a while back (which i unfortunately cannot find right now, otherwise I would link it here) demonstrating this with apple.com.

As an example of the type of thing you need to look out for but probably can't spot, can you tell the difference between uv and υν? No, this isn't a trick question, the first one is the lower case Latin letters 'u' and 'v', while the second one is the lowercase Greek letters upsilon and nu. In most sans-serif fonts (like those used by almost all browsers in the address bar, and the default font on most SE sub-sites), those two pairs of characters are nearly indistinguishable. Even in many serif fonts, they're hard to distinguish for most people. Similarly, АВ is actually a pair of Cyrillic characters, not Latin ones, and again is indistinguishable from the Latin 'AB' in most fonts. Both cases illustrate examples of 'bitsquatting', a technique whereby attackers take advantage of the similarity of different characters looking similar or identical to trick people into following their links by making them look like links to legitimate websites.

Pretty much, don't assume that you will be able to recognize a site that's a threat until it's too late.

share|improve this answer

answered yesterday

Austin Hemmelgarn

1813

New contributor

Austin Hemmelgarn is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
4
down vote

Browser updates include updates to certificate authority data and indeed its very own certificate. Both of those things have expiration dates and there are many websites which can't be accessed at all by too-old browsers because the SSL certificate can't be verified by that too-old browser OR that too-old browser can't verify its own cert to the remote server. So even if you don't care about security, you might care about the access and functionality which security-validation achieves for you.

What's more, by the time you "smell" the fishiness of a website you're looking at, it's already too late for many kinds of attacks. Hopefully your old 32-bit operating system isn't also unable to get updates to its antivirus software.

share|improve this answer

edited 4 hours ago

answered 22 hours ago

Beanluc

1413

New contributor

Beanluc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
2
down vote

As an addition to the excellent points in other answers:

Is your 32-bit software still regularly updated or is it a deprecated old version?

Once any piece of internet connected software stops receiving new security fixes, it becomes susceptible to every new bug or hack thereafter.

share|improve this answer

answered yesterday

DoritoStyle

1317

New contributor

DoritoStyle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, Windows 7 is updated regularly. Is it compensate enough for an old browser?
  – Ooker
  17 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I mean ALL 32 bit software, including all software that is installed on the 32 bit OS, not just Windows.
  – DoritoStyle
  6 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  yes, most of them are still supported. But why the need? They don't connect to the internet. Maybe there is a chance that I accidentally open an infected file, but why can't Windows Defender detect it?
  – Ooker
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My answer specifies "internet connected software", but to be realistic,. any software on an internet connected computer is vulnerable, whether or not it connects to the net itself.
  – DoritoStyle
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Ooker to expand on that, a compromised piece of software can sometimes allow an attacker to gain full root/admin access to the machine, so at that point even the OS is compromised until that bug is patched. You're not just trusting Microsoft here, your trusting every 2-bit software vendor providing outdated software.
  – DoritoStyle
  5 hours ago
  
  

  
  
  
  

add a comment | 

up vote
2
down vote

You should care about security if you care about security.

If you care enough to say things like "I can smell fishy websites" or "Most of the websites I visit have SSL certificates," then you do care about security.

Attacks are out there. Period. Let's not fool ourselves. Let's not pretend we're immune. Take Stuxnet. Stuxnet is credited with destroying up to 1000 centrifuges used for enriching nuclear fuel in Iran. That's hundreds of millions of dollars in damage, at the very least. Practically speaking, a good risk assessment from the country's perspective would be even more dire.

You feel invincible because you visit sites with SSL certificates? The computers Stuxnet hit were air gapped. There was no wire going between the internet and the computers that got infected. They still got infected.

So the real question is not "am I safe?" You're not. The real question is are you safe enough. Is it worth spending some number of dollars and some number of hours to upgrade? That's a balance question. That's much more useful.

Here's a test. Log into your computer. Log into a few sites you care about. Now hand me your computer. I'm going to walk away with it. How do you feel? How nervous are you that I have your data? If all you have is a harddrive full of cute kitten pictures, then you are probably going to be more angry that I walked off with your laptop. Laptops are expensive to replace. But if you've got your banking credentials on that computer, you're probably going to be more worried about what I can do with those. Is your SSN on that computer?

Once you understand how much damage can be done, versus the cost of preventing the damage, you can make a judgement call.

share|improve this answer

answered yesterday

Cort Ammon

6,30731820

add a comment | 

up vote
0
down vote

Since nobody pointed this out yet:

Anti virus software is way less useful than you think. In fact, if you ask security professionals, the main recommendation to stay safe will be to update all your software, above the recommendation to run an AntiVirus - so exactly what you're planning not to do.

Why? All that anti virus software does is stop known, old pandemics. However, most successful widespread attacks simply create new viruses and use the time window until anti virus software is updated to spread. Anti virus software is no magic bullet, it only detects what it knows (there is behavior detection but it isn't very effective for any of the AV software out there) so against new attacks, it only helps to have less intrusion opportunities. And by far the cheapest intrusion opportunity for attackers is an outdated browser or core system.

So yes, it is vital that your browser is up-to-date if you care about any of the data on your computer at all. Whether you have an Anti Virus is actually kind of unimportant - it does help a little, but it won't save you against most new attacks if your browser or core system are outdated.

Side note: this might be different if you run a browser sandboxed. However, unless you know that is what you're doing, you're most likely not doing it. And I'm not sure for 32bit, any of the common sandboxing solutions like UWP/Windows App Store is supported at all. Also, in that case websites might still be able to steal data from all other open websites, including your banking website tab. So that's hardly ideal.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

J. T.

11

New contributor

J. T. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194345%2fwhy-should-a-browsers-security-be-prioritized%23new-answer', 'question_page');

);

Post as a guest

Name Email

7 Answers
7

active

oldest

votes

7 Answers
7

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
88
down vote



accepted

Can you explain why browser security should be placed on the top priority ...

Because the browser is processing lots of untrusted content from the internet.

Of course, if you use any other programs which does this (like Mail client, maybe Office program, PDF reader) you should keep these updated too since vulnerabilities in these programs are a regular attack vector too.

.. Most of the websites I visit have SSL certificate,

A SSL certificate says nothing about the trust you can have in a site. HTTPS only protects against sniffing modification of the traffic during transport. A HTTPS site can serve malware as much as a plain HTTP site can do.

Apart from that "Most of the websites" is not the same as "All of the websites".

I can smell fishy websites?

Even if you might be confident in your ability to sniff websites where the URL looks fishy (which might actually be overconfidence) I'm pretty sure that you will not know up-front if the site you visit regularly got hacked and is serving malware (i.e. Watering hole attack or other kinds of hacking high-reputation sites to increase number of victims) or if it is serving malicious ads which are outside the control of the website itself (i.e. Malvertising).

EDIT:

After I've wrote my answer the OP added the following to the question:

Most of them are either big enough that I can trust that they can't be hacked, ...

Too big to be hacked? While large web sites usually employ better security than smaller ones it does not mean they are unhackable. And sites with lots of customers are especially a lucrative target for the attackers since this also means lots of potential victims. Some examples:
... malicious ads on Forbes ... or ... New York Times and BBC hit by 'ransomware' malvertising or Study: One-third of top websites vulnerable or hacked.

... or small enough that I don't think it's profitable for the hackers, ...

Too small to be hacked? That's not true either: attackers use automated tools to hack insecure CMS installations like WordPress or Django en mass, i.e. it is very cheap to take over a vulnerable site this way.

share|improve this answer

edited yesterday

answered yesterday

Steffen Ullrich

106k10182246

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  FWIW, even if you trust a site that you visit regularly, it could get hacked and then your browser (and antivirus) are your only hopes.
  – aslum
  yesterday
  

  
  
  
  


• 
  
  
  

  
  17
  

  
  
  
  
  
  

  
  @Ooker: "do you have any introductory resources so that I can appreciate the threats more?" - The links I have in my answer should provide you already with further information. If you need more please be specific what kind of information you are looking for.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  many people thought that when they visit a website without downloading any binary files or clicking any suspicious links they're safe. But in fact pretty much any websites have a lot of JavaScript files which run without user permission and they can use some browser bug to escape the sand box and steal sensitive data. One example is at the begin of this year all major browsers have to decrease the timer solution to fix the Meltdown and Spectre bug
  – phuclv
  yesterday
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  @Ooker: This is a different question from your original one so I will not give a deep answer. In short: know you risk and deal with it, either by trying to reduce your risk of being attacked (adblocker, update, maybe new laptop, maybe new OS on old laptop...) or by reducing the impact of being attacked (regular backups of important data, make sure to not affect other systems in your network like the router..). It is also acceptable to knowingly treat the risk as low enough and hope nothing will ever happen.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  @Ooker you say you want a risk assessment. Ok. Risk is broadly a function of likelihood and impact. All of your doubts in your question are about the likelihood. While Steffen's answer explains the likelihood quite well, only you can determine the impact of a complete system compromise. What's on your machine? What does your machine have access to? What mitigations do you have in place? Can you re-image the machine quickly? Do you use an updated anti-virus? Do you limit what DNS requests can be made from the machine?
  – schroeder♦
  yesterday
  

  
  
  
  

 | 
show 5 more comments

up vote
88
down vote



accepted

Can you explain why browser security should be placed on the top priority ...

Because the browser is processing lots of untrusted content from the internet.

Of course, if you use any other programs which does this (like Mail client, maybe Office program, PDF reader) you should keep these updated too since vulnerabilities in these programs are a regular attack vector too.

.. Most of the websites I visit have SSL certificate,

A SSL certificate says nothing about the trust you can have in a site. HTTPS only protects against sniffing modification of the traffic during transport. A HTTPS site can serve malware as much as a plain HTTP site can do.

Apart from that "Most of the websites" is not the same as "All of the websites".

I can smell fishy websites?

Even if you might be confident in your ability to sniff websites where the URL looks fishy (which might actually be overconfidence) I'm pretty sure that you will not know up-front if the site you visit regularly got hacked and is serving malware (i.e. Watering hole attack or other kinds of hacking high-reputation sites to increase number of victims) or if it is serving malicious ads which are outside the control of the website itself (i.e. Malvertising).

EDIT:

After I've wrote my answer the OP added the following to the question:

Most of them are either big enough that I can trust that they can't be hacked, ...

Too big to be hacked? While large web sites usually employ better security than smaller ones it does not mean they are unhackable. And sites with lots of customers are especially a lucrative target for the attackers since this also means lots of potential victims. Some examples:
... malicious ads on Forbes ... or ... New York Times and BBC hit by 'ransomware' malvertising or Study: One-third of top websites vulnerable or hacked.

... or small enough that I don't think it's profitable for the hackers, ...

Too small to be hacked? That's not true either: attackers use automated tools to hack insecure CMS installations like WordPress or Django en mass, i.e. it is very cheap to take over a vulnerable site this way.

share|improve this answer

edited yesterday

answered yesterday

Steffen Ullrich

106k10182246

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  FWIW, even if you trust a site that you visit regularly, it could get hacked and then your browser (and antivirus) are your only hopes.
  – aslum
  yesterday
  

  
  
  
  


• 
  
  
  

  
  17
  

  
  
  
  
  
  

  
  @Ooker: "do you have any introductory resources so that I can appreciate the threats more?" - The links I have in my answer should provide you already with further information. If you need more please be specific what kind of information you are looking for.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  many people thought that when they visit a website without downloading any binary files or clicking any suspicious links they're safe. But in fact pretty much any websites have a lot of JavaScript files which run without user permission and they can use some browser bug to escape the sand box and steal sensitive data. One example is at the begin of this year all major browsers have to decrease the timer solution to fix the Meltdown and Spectre bug
  – phuclv
  yesterday
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  @Ooker: This is a different question from your original one so I will not give a deep answer. In short: know you risk and deal with it, either by trying to reduce your risk of being attacked (adblocker, update, maybe new laptop, maybe new OS on old laptop...) or by reducing the impact of being attacked (regular backups of important data, make sure to not affect other systems in your network like the router..). It is also acceptable to knowingly treat the risk as low enough and hope nothing will ever happen.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  @Ooker you say you want a risk assessment. Ok. Risk is broadly a function of likelihood and impact. All of your doubts in your question are about the likelihood. While Steffen's answer explains the likelihood quite well, only you can determine the impact of a complete system compromise. What's on your machine? What does your machine have access to? What mitigations do you have in place? Can you re-image the machine quickly? Do you use an updated anti-virus? Do you limit what DNS requests can be made from the machine?
  – schroeder♦
  yesterday
  

  
  
  
  

 | 
show 5 more comments

up vote
88
down vote



accepted

up vote
88
down vote



accepted

Can you explain why browser security should be placed on the top priority ...

Because the browser is processing lots of untrusted content from the internet.

Of course, if you use any other programs which does this (like Mail client, maybe Office program, PDF reader) you should keep these updated too since vulnerabilities in these programs are a regular attack vector too.

.. Most of the websites I visit have SSL certificate,

A SSL certificate says nothing about the trust you can have in a site. HTTPS only protects against sniffing modification of the traffic during transport. A HTTPS site can serve malware as much as a plain HTTP site can do.

Apart from that "Most of the websites" is not the same as "All of the websites".

I can smell fishy websites?

Even if you might be confident in your ability to sniff websites where the URL looks fishy (which might actually be overconfidence) I'm pretty sure that you will not know up-front if the site you visit regularly got hacked and is serving malware (i.e. Watering hole attack or other kinds of hacking high-reputation sites to increase number of victims) or if it is serving malicious ads which are outside the control of the website itself (i.e. Malvertising).

EDIT:

After I've wrote my answer the OP added the following to the question:

Most of them are either big enough that I can trust that they can't be hacked, ...

Too big to be hacked? While large web sites usually employ better security than smaller ones it does not mean they are unhackable. And sites with lots of customers are especially a lucrative target for the attackers since this also means lots of potential victims. Some examples:
... malicious ads on Forbes ... or ... New York Times and BBC hit by 'ransomware' malvertising or Study: One-third of top websites vulnerable or hacked.

... or small enough that I don't think it's profitable for the hackers, ...

Too small to be hacked? That's not true either: attackers use automated tools to hack insecure CMS installations like WordPress or Django en mass, i.e. it is very cheap to take over a vulnerable site this way.

share|improve this answer

edited yesterday

answered yesterday

Steffen Ullrich

106k10182246

Can you explain why browser security should be placed on the top priority ...

Because the browser is processing lots of untrusted content from the internet.

Of course, if you use any other programs which does this (like Mail client, maybe Office program, PDF reader) you should keep these updated too since vulnerabilities in these programs are a regular attack vector too.

.. Most of the websites I visit have SSL certificate,

A SSL certificate says nothing about the trust you can have in a site. HTTPS only protects against sniffing modification of the traffic during transport. A HTTPS site can serve malware as much as a plain HTTP site can do.

Apart from that "Most of the websites" is not the same as "All of the websites".

I can smell fishy websites?

Even if you might be confident in your ability to sniff websites where the URL looks fishy (which might actually be overconfidence) I'm pretty sure that you will not know up-front if the site you visit regularly got hacked and is serving malware (i.e. Watering hole attack or other kinds of hacking high-reputation sites to increase number of victims) or if it is serving malicious ads which are outside the control of the website itself (i.e. Malvertising).

EDIT:

After I've wrote my answer the OP added the following to the question:

Most of them are either big enough that I can trust that they can't be hacked, ...

Too big to be hacked? While large web sites usually employ better security than smaller ones it does not mean they are unhackable. And sites with lots of customers are especially a lucrative target for the attackers since this also means lots of potential victims. Some examples:
... malicious ads on Forbes ... or ... New York Times and BBC hit by 'ransomware' malvertising or Study: One-third of top websites vulnerable or hacked.

... or small enough that I don't think it's profitable for the hackers, ...

Too small to be hacked? That's not true either: attackers use automated tools to hack insecure CMS installations like WordPress or Django en mass, i.e. it is very cheap to take over a vulnerable site this way.

share|improve this answer

edited yesterday

answered yesterday

Steffen Ullrich

106k10182246

share|improve this answer

share|improve this answer

edited yesterday

edited yesterday

edited yesterday

answered yesterday

Steffen Ullrich

106k10182246

answered yesterday

Steffen Ullrich

106k10182246

answered yesterday

Steffen Ullrich

106k10182246

106k10182246

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  FWIW, even if you trust a site that you visit regularly, it could get hacked and then your browser (and antivirus) are your only hopes.
  – aslum
  yesterday
  

  
  
  
  


• 
  
  
  

  
  17
  

  
  
  
  
  
  

  
  @Ooker: "do you have any introductory resources so that I can appreciate the threats more?" - The links I have in my answer should provide you already with further information. If you need more please be specific what kind of information you are looking for.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  many people thought that when they visit a website without downloading any binary files or clicking any suspicious links they're safe. But in fact pretty much any websites have a lot of JavaScript files which run without user permission and they can use some browser bug to escape the sand box and steal sensitive data. One example is at the begin of this year all major browsers have to decrease the timer solution to fix the Meltdown and Spectre bug
  – phuclv
  yesterday
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  @Ooker: This is a different question from your original one so I will not give a deep answer. In short: know you risk and deal with it, either by trying to reduce your risk of being attacked (adblocker, update, maybe new laptop, maybe new OS on old laptop...) or by reducing the impact of being attacked (regular backups of important data, make sure to not affect other systems in your network like the router..). It is also acceptable to knowingly treat the risk as low enough and hope nothing will ever happen.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  @Ooker you say you want a risk assessment. Ok. Risk is broadly a function of likelihood and impact. All of your doubts in your question are about the likelihood. While Steffen's answer explains the likelihood quite well, only you can determine the impact of a complete system compromise. What's on your machine? What does your machine have access to? What mitigations do you have in place? Can you re-image the machine quickly? Do you use an updated anti-virus? Do you limit what DNS requests can be made from the machine?
  – schroeder♦
  yesterday
  

  
  
  
  

 | 
show 5 more comments

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  FWIW, even if you trust a site that you visit regularly, it could get hacked and then your browser (and antivirus) are your only hopes.
  – aslum
  yesterday
  

  
  
  
  


• 
  
  
  

  
  17
  

  
  
  
  
  
  

  
  @Ooker: "do you have any introductory resources so that I can appreciate the threats more?" - The links I have in my answer should provide you already with further information. If you need more please be specific what kind of information you are looking for.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  many people thought that when they visit a website without downloading any binary files or clicking any suspicious links they're safe. But in fact pretty much any websites have a lot of JavaScript files which run without user permission and they can use some browser bug to escape the sand box and steal sensitive data. One example is at the begin of this year all major browsers have to decrease the timer solution to fix the Meltdown and Spectre bug
  – phuclv
  yesterday
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  @Ooker: This is a different question from your original one so I will not give a deep answer. In short: know you risk and deal with it, either by trying to reduce your risk of being attacked (adblocker, update, maybe new laptop, maybe new OS on old laptop...) or by reducing the impact of being attacked (regular backups of important data, make sure to not affect other systems in your network like the router..). It is also acceptable to knowingly treat the risk as low enough and hope nothing will ever happen.
  – Steffen Ullrich
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  @Ooker you say you want a risk assessment. Ok. Risk is broadly a function of likelihood and impact. All of your doubts in your question are about the likelihood. While Steffen's answer explains the likelihood quite well, only you can determine the impact of a complete system compromise. What's on your machine? What does your machine have access to? What mitigations do you have in place? Can you re-image the machine quickly? Do you use an updated anti-virus? Do you limit what DNS requests can be made from the machine?
  – schroeder♦
  yesterday
  

  
  
  
  

1

1

FWIW, even if you trust a site that you visit regularly, it could get hacked and then your browser (and antivirus) are your only hopes.
– aslum
yesterday

FWIW, even if you trust a site that you visit regularly, it could get hacked and then your browser (and antivirus) are your only hopes.
– aslum
yesterday

17

17

@Ooker: "do you have any introductory resources so that I can appreciate the threats more?" - The links I have in my answer should provide you already with further information. If you need more please be specific what kind of information you are looking for.
– Steffen Ullrich
yesterday

@Ooker: "do you have any introductory resources so that I can appreciate the threats more?" - The links I have in my answer should provide you already with further information. If you need more please be specific what kind of information you are looking for.
– Steffen Ullrich
yesterday

6

6

many people thought that when they visit a website without downloading any binary files or clicking any suspicious links they're safe. But in fact pretty much any websites have a lot of JavaScript files which run without user permission and they can use some browser bug to escape the sand box and steal sensitive data. One example is at the begin of this year all major browsers have to decrease the timer solution to fix the Meltdown and Spectre bug
– phuclv
yesterday

many people thought that when they visit a website without downloading any binary files or clicking any suspicious links they're safe. But in fact pretty much any websites have a lot of JavaScript files which run without user permission and they can use some browser bug to escape the sand box and steal sensitive data. One example is at the begin of this year all major browsers have to decrease the timer solution to fix the Meltdown and Spectre bug
– phuclv
yesterday

4

4

@Ooker: This is a different question from your original one so I will not give a deep answer. In short: know you risk and deal with it, either by trying to reduce your risk of being attacked (adblocker, update, maybe new laptop, maybe new OS on old laptop...) or by reducing the impact of being attacked (regular backups of important data, make sure to not affect other systems in your network like the router..). It is also acceptable to knowingly treat the risk as low enough and hope nothing will ever happen.
– Steffen Ullrich
yesterday

@Ooker: This is a different question from your original one so I will not give a deep answer. In short: know you risk and deal with it, either by trying to reduce your risk of being attacked (adblocker, update, maybe new laptop, maybe new OS on old laptop...) or by reducing the impact of being attacked (regular backups of important data, make sure to not affect other systems in your network like the router..). It is also acceptable to knowingly treat the risk as low enough and hope nothing will ever happen.
– Steffen Ullrich
yesterday

3

3

@Ooker you say you want a risk assessment. Ok. Risk is broadly a function of likelihood and impact. All of your doubts in your question are about the likelihood. While Steffen's answer explains the likelihood quite well, only you can determine the impact of a complete system compromise. What's on your machine? What does your machine have access to? What mitigations do you have in place? Can you re-image the machine quickly? Do you use an updated anti-virus? Do you limit what DNS requests can be made from the machine?
– schroeder♦
yesterday

@Ooker you say you want a risk assessment. Ok. Risk is broadly a function of likelihood and impact. All of your doubts in your question are about the likelihood. While Steffen's answer explains the likelihood quite well, only you can determine the impact of a complete system compromise. What's on your machine? What does your machine have access to? What mitigations do you have in place? Can you re-image the machine quickly? Do you use an updated anti-virus? Do you limit what DNS requests can be made from the machine?
– schroeder♦
yesterday

 | 
show 5 more comments

up vote
11
down vote

Not all the websites you visit have certificates. You can’t smell fishy websites. Certificate doesn’t mean the site isn’t trying to hack you.

The browser is the biggest attack vector against your computer. It will tend to run unvetted JavaScript code at least, and god knows what else. It constantly processes data from untrusted sources.

share|improve this answer

answered yesterday

gnasher729

1,236512

• 
  
  
  

  
  

  
  
  
  
  
  

  
  are most attacks now come from JavaScript? or SQL?
  – Ooker
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  12
  

  
  
  
  
  
  

  
  @Ooker SQL isn't processed on your device. It may be used internally by the web app, but it never leaves the server. SQL injection attacks (which you're probably referring to) are a threat to servers, not clients (but compromised server can be reconfigured to act maliciously on clients).
  – gronostaj
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Just because a piece of client software exposes an exploit which is executed on a server rather than in the client doesn't mean that the user isn't at risk.
  – Beanluc
  21 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Beanluc Yes, but most of that impact will not be mitigated by an updated browser. The major exception would be injecting code/markup in the site itself, of course.
  – Luaan
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Of course. We're talking about a NOT-updated browser, aren't we.
  – Beanluc
  4 hours ago
  

  
  
  
  

 | 
show 1 more comment

up vote
11
down vote

Not all the websites you visit have certificates. You can’t smell fishy websites. Certificate doesn’t mean the site isn’t trying to hack you.

The browser is the biggest attack vector against your computer. It will tend to run unvetted JavaScript code at least, and god knows what else. It constantly processes data from untrusted sources.

share|improve this answer

answered yesterday

gnasher729

1,236512

• 
  
  
  

  
  

  
  
  
  
  
  

  
  are most attacks now come from JavaScript? or SQL?
  – Ooker
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  12
  

  
  
  
  
  
  

  
  @Ooker SQL isn't processed on your device. It may be used internally by the web app, but it never leaves the server. SQL injection attacks (which you're probably referring to) are a threat to servers, not clients (but compromised server can be reconfigured to act maliciously on clients).
  – gronostaj
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Just because a piece of client software exposes an exploit which is executed on a server rather than in the client doesn't mean that the user isn't at risk.
  – Beanluc
  21 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Beanluc Yes, but most of that impact will not be mitigated by an updated browser. The major exception would be injecting code/markup in the site itself, of course.
  – Luaan
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Of course. We're talking about a NOT-updated browser, aren't we.
  – Beanluc
  4 hours ago
  

  
  
  
  

 | 
show 1 more comment

up vote
11
down vote

up vote
11
down vote

Not all the websites you visit have certificates. You can’t smell fishy websites. Certificate doesn’t mean the site isn’t trying to hack you.

The browser is the biggest attack vector against your computer. It will tend to run unvetted JavaScript code at least, and god knows what else. It constantly processes data from untrusted sources.

share|improve this answer

answered yesterday

gnasher729

1,236512

Not all the websites you visit have certificates. You can’t smell fishy websites. Certificate doesn’t mean the site isn’t trying to hack you.

The browser is the biggest attack vector against your computer. It will tend to run unvetted JavaScript code at least, and god knows what else. It constantly processes data from untrusted sources.

share|improve this answer

answered yesterday

gnasher729

1,236512

share|improve this answer

share|improve this answer

answered yesterday

gnasher729

1,236512

answered yesterday

gnasher729

1,236512

answered yesterday

gnasher729

1,236512

1,236512

• 
  
  
  

  
  

  
  
  
  
  
  

  
  are most attacks now come from JavaScript? or SQL?
  – Ooker
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  12
  

  
  
  
  
  
  

  
  @Ooker SQL isn't processed on your device. It may be used internally by the web app, but it never leaves the server. SQL injection attacks (which you're probably referring to) are a threat to servers, not clients (but compromised server can be reconfigured to act maliciously on clients).
  – gronostaj
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Just because a piece of client software exposes an exploit which is executed on a server rather than in the client doesn't mean that the user isn't at risk.
  – Beanluc
  21 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Beanluc Yes, but most of that impact will not be mitigated by an updated browser. The major exception would be injecting code/markup in the site itself, of course.
  – Luaan
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Of course. We're talking about a NOT-updated browser, aren't we.
  – Beanluc
  4 hours ago
  

  
  
  
  

 | 
show 1 more comment

• 
  
  
  

  
  

  
  
  
  
  
  

  
  are most attacks now come from JavaScript? or SQL?
  – Ooker
  yesterday
  
  

  
  
  
  


• 
  
  
  

  
  12
  

  
  
  
  
  
  

  
  @Ooker SQL isn't processed on your device. It may be used internally by the web app, but it never leaves the server. SQL injection attacks (which you're probably referring to) are a threat to servers, not clients (but compromised server can be reconfigured to act maliciously on clients).
  – gronostaj
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Just because a piece of client software exposes an exploit which is executed on a server rather than in the client doesn't mean that the user isn't at risk.
  – Beanluc
  21 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Beanluc Yes, but most of that impact will not be mitigated by an updated browser. The major exception would be injecting code/markup in the site itself, of course.
  – Luaan
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  Of course. We're talking about a NOT-updated browser, aren't we.
  – Beanluc
  4 hours ago
  

  
  
  
  

are most attacks now come from JavaScript? or SQL?
– Ooker
yesterday

are most attacks now come from JavaScript? or SQL?
– Ooker
yesterday

12

12

@Ooker SQL isn't processed on your device. It may be used internally by the web app, but it never leaves the server. SQL injection attacks (which you're probably referring to) are a threat to servers, not clients (but compromised server can be reconfigured to act maliciously on clients).
– gronostaj
yesterday

@Ooker SQL isn't processed on your device. It may be used internally by the web app, but it never leaves the server. SQL injection attacks (which you're probably referring to) are a threat to servers, not clients (but compromised server can be reconfigured to act maliciously on clients).
– gronostaj
yesterday

Just because a piece of client software exposes an exploit which is executed on a server rather than in the client doesn't mean that the user isn't at risk.
– Beanluc
21 hours ago

Just because a piece of client software exposes an exploit which is executed on a server rather than in the client doesn't mean that the user isn't at risk.
– Beanluc
21 hours ago

@Beanluc Yes, but most of that impact will not be mitigated by an updated browser. The major exception would be injecting code/markup in the site itself, of course.
– Luaan
7 hours ago

@Beanluc Yes, but most of that impact will not be mitigated by an updated browser. The major exception would be injecting code/markup in the site itself, of course.
– Luaan
7 hours ago

Of course. We're talking about a NOT-updated browser, aren't we.
– Beanluc
4 hours ago

Of course. We're talking about a NOT-updated browser, aren't we.
– Beanluc
4 hours ago

 | 
show 1 more comment

up vote
8
down vote

Each of your statements is making a false assumption here:

Most of the websites I visit have SSL certificate.

This is great, but SSL/TLS only protects you against certain types of attacks.

Pretty much, a site having a (valid) TLS certificate simply means that the owner of that website has in some way proven ownership of the domain name that is used to access the site, possibly spending a very large amount of money to do so (or possibly spending none). Usually, this means that you can trust that the site is who they say they are, barring domain spoofing (which I will cover in response to your third point). However, it may not mean that (see for example the fiasco that got everything issued by Symantec revoked/untrusted earlier this year). So, a TLS certificate really just verifies site ownership, not that the site is legitimate or that they are doing what they say they are.

TLS certificates give one more protection benefit, they let you use HTTPS. HTTPS provides exactly two types of protection if it's used correctly:

• It provides a reasonably high level of confidence that the data you are receiving is the same data that the web server sent. This is important for ensuring that nothing has been added to or removed from the site by a third party while it was in transit to you.


• It provides a reasonably high level of confidence that the data you are transferring is not visible in-transit to third-parties. This is the reason it's so important to ensure that any site you provide a password or personal data to uses HTTPS.

This still leaves you open to quite a few attacks. The most obvious is for the web server to be hacked (or the CDN if they're using one). There are others too, like XSS attacks, malicious advertisements (think of all the perfectly legitimate sites out there that have hidden auto-redirects to malicious sites because of the ads they use), and attacks on TLS itself (such attacks are why no sensible operator still uses SSLv2 or SSLv3, both are known broken). So, HTTPS/TLS/SSL by itself is not rigorous protection.

Also, as you yourself said, most of the websites you visit use TLS, not all of them. Think very hard about whether you really should trust those other sites that aren't using it, if they aren't willing to take the five minutes to set their servers up with free certificates from LetsEncrypt, what other aspects of security are they cutting corners on?

Most of them are either big enough that I can trust that they can't be hacked, or small enough that I don't think it's profitable for the hackers.

Have you not watched any news for the past decade? Just in terms of public disclosures, there are dozens of known attacks on sites with well over 100 million users (that's a big site by most people's definitions, as 100 million is more than 1% of the world population, and probably closer to 3-4% of the total number of people on the internet). I suggest taking a look at the list of public breaches on Have I Been Pwned?, there are quite a few big names on there, including ones which handle very sensitive data (Experian for example). So, no, it's not realistic to expect something to be 'too big to be hacked'. In fact, big sites are some of the most attractive targets for attackers, because they have lots of users. They also have a notoriously bad track record for publicly disclosing security breaches (they have more incentive not to, as they have more potential customers to lose).

On the other side of things, small sites are easy targets, even if not attractive. If you think of big sites as high risk investments for hackers, small ones are low-risk investments. They may not give as much in the way of returns, but they often will give much more consistent returns, so they're still attractive targets.

Also, consider that quite often attackers are targeting software that is vulnerable, not necessarily specific sites. WordPress is a good example, as it's used on sites both big and small, and it's been successfully used multiple times in the past as an attack vector.

I can smell fishy websites

First off, just because a site isn't 'fishy' doesn't mean it's not a threat. There are also quite a few legitimate sites that look 'fishy' by many people's definitions.

Second, it's not hard to copy a legitimate site but still do illegitimate things with the result. Domain spoofing, in it's various forms, is often used for this. There was a rather good blog post on a big infosec site a while back (which i unfortunately cannot find right now, otherwise I would link it here) demonstrating this with apple.com.

As an example of the type of thing you need to look out for but probably can't spot, can you tell the difference between uv and υν? No, this isn't a trick question, the first one is the lower case Latin letters 'u' and 'v', while the second one is the lowercase Greek letters upsilon and nu. In most sans-serif fonts (like those used by almost all browsers in the address bar, and the default font on most SE sub-sites), those two pairs of characters are nearly indistinguishable. Even in many serif fonts, they're hard to distinguish for most people. Similarly, АВ is actually a pair of Cyrillic characters, not Latin ones, and again is indistinguishable from the Latin 'AB' in most fonts. Both cases illustrate examples of 'bitsquatting', a technique whereby attackers take advantage of the similarity of different characters looking similar or identical to trick people into following their links by making them look like links to legitimate websites.

Pretty much, don't assume that you will be able to recognize a site that's a threat until it's too late.

share|improve this answer

answered yesterday

Austin Hemmelgarn

1813

New contributor

Austin Hemmelgarn is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
8
down vote

Each of your statements is making a false assumption here:

Most of the websites I visit have SSL certificate.

This is great, but SSL/TLS only protects you against certain types of attacks.

Pretty much, a site having a (valid) TLS certificate simply means that the owner of that website has in some way proven ownership of the domain name that is used to access the site, possibly spending a very large amount of money to do so (or possibly spending none). Usually, this means that you can trust that the site is who they say they are, barring domain spoofing (which I will cover in response to your third point). However, it may not mean that (see for example the fiasco that got everything issued by Symantec revoked/untrusted earlier this year). So, a TLS certificate really just verifies site ownership, not that the site is legitimate or that they are doing what they say they are.

TLS certificates give one more protection benefit, they let you use HTTPS. HTTPS provides exactly two types of protection if it's used correctly:

• It provides a reasonably high level of confidence that the data you are receiving is the same data that the web server sent. This is important for ensuring that nothing has been added to or removed from the site by a third party while it was in transit to you.


• It provides a reasonably high level of confidence that the data you are transferring is not visible in-transit to third-parties. This is the reason it's so important to ensure that any site you provide a password or personal data to uses HTTPS.

This still leaves you open to quite a few attacks. The most obvious is for the web server to be hacked (or the CDN if they're using one). There are others too, like XSS attacks, malicious advertisements (think of all the perfectly legitimate sites out there that have hidden auto-redirects to malicious sites because of the ads they use), and attacks on TLS itself (such attacks are why no sensible operator still uses SSLv2 or SSLv3, both are known broken). So, HTTPS/TLS/SSL by itself is not rigorous protection.

Also, as you yourself said, most of the websites you visit use TLS, not all of them. Think very hard about whether you really should trust those other sites that aren't using it, if they aren't willing to take the five minutes to set their servers up with free certificates from LetsEncrypt, what other aspects of security are they cutting corners on?

Most of them are either big enough that I can trust that they can't be hacked, or small enough that I don't think it's profitable for the hackers.

Have you not watched any news for the past decade? Just in terms of public disclosures, there are dozens of known attacks on sites with well over 100 million users (that's a big site by most people's definitions, as 100 million is more than 1% of the world population, and probably closer to 3-4% of the total number of people on the internet). I suggest taking a look at the list of public breaches on Have I Been Pwned?, there are quite a few big names on there, including ones which handle very sensitive data (Experian for example). So, no, it's not realistic to expect something to be 'too big to be hacked'. In fact, big sites are some of the most attractive targets for attackers, because they have lots of users. They also have a notoriously bad track record for publicly disclosing security breaches (they have more incentive not to, as they have more potential customers to lose).

On the other side of things, small sites are easy targets, even if not attractive. If you think of big sites as high risk investments for hackers, small ones are low-risk investments. They may not give as much in the way of returns, but they often will give much more consistent returns, so they're still attractive targets.

Also, consider that quite often attackers are targeting software that is vulnerable, not necessarily specific sites. WordPress is a good example, as it's used on sites both big and small, and it's been successfully used multiple times in the past as an attack vector.

I can smell fishy websites

First off, just because a site isn't 'fishy' doesn't mean it's not a threat. There are also quite a few legitimate sites that look 'fishy' by many people's definitions.

Second, it's not hard to copy a legitimate site but still do illegitimate things with the result. Domain spoofing, in it's various forms, is often used for this. There was a rather good blog post on a big infosec site a while back (which i unfortunately cannot find right now, otherwise I would link it here) demonstrating this with apple.com.

As an example of the type of thing you need to look out for but probably can't spot, can you tell the difference between uv and υν? No, this isn't a trick question, the first one is the lower case Latin letters 'u' and 'v', while the second one is the lowercase Greek letters upsilon and nu. In most sans-serif fonts (like those used by almost all browsers in the address bar, and the default font on most SE sub-sites), those two pairs of characters are nearly indistinguishable. Even in many serif fonts, they're hard to distinguish for most people. Similarly, АВ is actually a pair of Cyrillic characters, not Latin ones, and again is indistinguishable from the Latin 'AB' in most fonts. Both cases illustrate examples of 'bitsquatting', a technique whereby attackers take advantage of the similarity of different characters looking similar or identical to trick people into following their links by making them look like links to legitimate websites.

Pretty much, don't assume that you will be able to recognize a site that's a threat until it's too late.

share|improve this answer

answered yesterday

Austin Hemmelgarn

1813

New contributor

Austin Hemmelgarn is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
8
down vote

up vote
8
down vote

Each of your statements is making a false assumption here:

Most of the websites I visit have SSL certificate.

This is great, but SSL/TLS only protects you against certain types of attacks.

Pretty much, a site having a (valid) TLS certificate simply means that the owner of that website has in some way proven ownership of the domain name that is used to access the site, possibly spending a very large amount of money to do so (or possibly spending none). Usually, this means that you can trust that the site is who they say they are, barring domain spoofing (which I will cover in response to your third point). However, it may not mean that (see for example the fiasco that got everything issued by Symantec revoked/untrusted earlier this year). So, a TLS certificate really just verifies site ownership, not that the site is legitimate or that they are doing what they say they are.

TLS certificates give one more protection benefit, they let you use HTTPS. HTTPS provides exactly two types of protection if it's used correctly:

• It provides a reasonably high level of confidence that the data you are receiving is the same data that the web server sent. This is important for ensuring that nothing has been added to or removed from the site by a third party while it was in transit to you.


• It provides a reasonably high level of confidence that the data you are transferring is not visible in-transit to third-parties. This is the reason it's so important to ensure that any site you provide a password or personal data to uses HTTPS.

This still leaves you open to quite a few attacks. The most obvious is for the web server to be hacked (or the CDN if they're using one). There are others too, like XSS attacks, malicious advertisements (think of all the perfectly legitimate sites out there that have hidden auto-redirects to malicious sites because of the ads they use), and attacks on TLS itself (such attacks are why no sensible operator still uses SSLv2 or SSLv3, both are known broken). So, HTTPS/TLS/SSL by itself is not rigorous protection.

Also, as you yourself said, most of the websites you visit use TLS, not all of them. Think very hard about whether you really should trust those other sites that aren't using it, if they aren't willing to take the five minutes to set their servers up with free certificates from LetsEncrypt, what other aspects of security are they cutting corners on?

Most of them are either big enough that I can trust that they can't be hacked, or small enough that I don't think it's profitable for the hackers.

Have you not watched any news for the past decade? Just in terms of public disclosures, there are dozens of known attacks on sites with well over 100 million users (that's a big site by most people's definitions, as 100 million is more than 1% of the world population, and probably closer to 3-4% of the total number of people on the internet). I suggest taking a look at the list of public breaches on Have I Been Pwned?, there are quite a few big names on there, including ones which handle very sensitive data (Experian for example). So, no, it's not realistic to expect something to be 'too big to be hacked'. In fact, big sites are some of the most attractive targets for attackers, because they have lots of users. They also have a notoriously bad track record for publicly disclosing security breaches (they have more incentive not to, as they have more potential customers to lose).

On the other side of things, small sites are easy targets, even if not attractive. If you think of big sites as high risk investments for hackers, small ones are low-risk investments. They may not give as much in the way of returns, but they often will give much more consistent returns, so they're still attractive targets.

Also, consider that quite often attackers are targeting software that is vulnerable, not necessarily specific sites. WordPress is a good example, as it's used on sites both big and small, and it's been successfully used multiple times in the past as an attack vector.

I can smell fishy websites

First off, just because a site isn't 'fishy' doesn't mean it's not a threat. There are also quite a few legitimate sites that look 'fishy' by many people's definitions.

Second, it's not hard to copy a legitimate site but still do illegitimate things with the result. Domain spoofing, in it's various forms, is often used for this. There was a rather good blog post on a big infosec site a while back (which i unfortunately cannot find right now, otherwise I would link it here) demonstrating this with apple.com.

As an example of the type of thing you need to look out for but probably can't spot, can you tell the difference between uv and υν? No, this isn't a trick question, the first one is the lower case Latin letters 'u' and 'v', while the second one is the lowercase Greek letters upsilon and nu. In most sans-serif fonts (like those used by almost all browsers in the address bar, and the default font on most SE sub-sites), those two pairs of characters are nearly indistinguishable. Even in many serif fonts, they're hard to distinguish for most people. Similarly, АВ is actually a pair of Cyrillic characters, not Latin ones, and again is indistinguishable from the Latin 'AB' in most fonts. Both cases illustrate examples of 'bitsquatting', a technique whereby attackers take advantage of the similarity of different characters looking similar or identical to trick people into following their links by making them look like links to legitimate websites.

Pretty much, don't assume that you will be able to recognize a site that's a threat until it's too late.

share|improve this answer

answered yesterday

Austin Hemmelgarn

1813

New contributor

Austin Hemmelgarn is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Each of your statements is making a false assumption here:

Most of the websites I visit have SSL certificate.

This is great, but SSL/TLS only protects you against certain types of attacks.

Pretty much, a site having a (valid) TLS certificate simply means that the owner of that website has in some way proven ownership of the domain name that is used to access the site, possibly spending a very large amount of money to do so (or possibly spending none). Usually, this means that you can trust that the site is who they say they are, barring domain spoofing (which I will cover in response to your third point). However, it may not mean that (see for example the fiasco that got everything issued by Symantec revoked/untrusted earlier this year). So, a TLS certificate really just verifies site ownership, not that the site is legitimate or that they are doing what they say they are.

TLS certificates give one more protection benefit, they let you use HTTPS. HTTPS provides exactly two types of protection if it's used correctly:

• It provides a reasonably high level of confidence that the data you are receiving is the same data that the web server sent. This is important for ensuring that nothing has been added to or removed from the site by a third party while it was in transit to you.


• It provides a reasonably high level of confidence that the data you are transferring is not visible in-transit to third-parties. This is the reason it's so important to ensure that any site you provide a password or personal data to uses HTTPS.

This still leaves you open to quite a few attacks. The most obvious is for the web server to be hacked (or the CDN if they're using one). There are others too, like XSS attacks, malicious advertisements (think of all the perfectly legitimate sites out there that have hidden auto-redirects to malicious sites because of the ads they use), and attacks on TLS itself (such attacks are why no sensible operator still uses SSLv2 or SSLv3, both are known broken). So, HTTPS/TLS/SSL by itself is not rigorous protection.

Also, as you yourself said, most of the websites you visit use TLS, not all of them. Think very hard about whether you really should trust those other sites that aren't using it, if they aren't willing to take the five minutes to set their servers up with free certificates from LetsEncrypt, what other aspects of security are they cutting corners on?

Most of them are either big enough that I can trust that they can't be hacked, or small enough that I don't think it's profitable for the hackers.

Have you not watched any news for the past decade? Just in terms of public disclosures, there are dozens of known attacks on sites with well over 100 million users (that's a big site by most people's definitions, as 100 million is more than 1% of the world population, and probably closer to 3-4% of the total number of people on the internet). I suggest taking a look at the list of public breaches on Have I Been Pwned?, there are quite a few big names on there, including ones which handle very sensitive data (Experian for example). So, no, it's not realistic to expect something to be 'too big to be hacked'. In fact, big sites are some of the most attractive targets for attackers, because they have lots of users. They also have a notoriously bad track record for publicly disclosing security breaches (they have more incentive not to, as they have more potential customers to lose).

On the other side of things, small sites are easy targets, even if not attractive. If you think of big sites as high risk investments for hackers, small ones are low-risk investments. They may not give as much in the way of returns, but they often will give much more consistent returns, so they're still attractive targets.

Also, consider that quite often attackers are targeting software that is vulnerable, not necessarily specific sites. WordPress is a good example, as it's used on sites both big and small, and it's been successfully used multiple times in the past as an attack vector.

I can smell fishy websites

First off, just because a site isn't 'fishy' doesn't mean it's not a threat. There are also quite a few legitimate sites that look 'fishy' by many people's definitions.

Second, it's not hard to copy a legitimate site but still do illegitimate things with the result. Domain spoofing, in it's various forms, is often used for this. There was a rather good blog post on a big infosec site a while back (which i unfortunately cannot find right now, otherwise I would link it here) demonstrating this with apple.com.

As an example of the type of thing you need to look out for but probably can't spot, can you tell the difference between uv and υν? No, this isn't a trick question, the first one is the lower case Latin letters 'u' and 'v', while the second one is the lowercase Greek letters upsilon and nu. In most sans-serif fonts (like those used by almost all browsers in the address bar, and the default font on most SE sub-sites), those two pairs of characters are nearly indistinguishable. Even in many serif fonts, they're hard to distinguish for most people. Similarly, АВ is actually a pair of Cyrillic characters, not Latin ones, and again is indistinguishable from the Latin 'AB' in most fonts. Both cases illustrate examples of 'bitsquatting', a technique whereby attackers take advantage of the similarity of different characters looking similar or identical to trick people into following their links by making them look like links to legitimate websites.

Pretty much, don't assume that you will be able to recognize a site that's a threat until it's too late.

share|improve this answer

answered yesterday

Austin Hemmelgarn

1813

New contributor

Austin Hemmelgarn is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

share|improve this answer

answered yesterday

Austin Hemmelgarn

1813

New contributor

Austin Hemmelgarn is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered yesterday

Austin Hemmelgarn

1813

answered yesterday

Austin Hemmelgarn

1813

1813

New contributor

Austin Hemmelgarn is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Austin Hemmelgarn is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Austin Hemmelgarn is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

up vote
4
down vote

Browser updates include updates to certificate authority data and indeed its very own certificate. Both of those things have expiration dates and there are many websites which can't be accessed at all by too-old browsers because the SSL certificate can't be verified by that too-old browser OR that too-old browser can't verify its own cert to the remote server. So even if you don't care about security, you might care about the access and functionality which security-validation achieves for you.

What's more, by the time you "smell" the fishiness of a website you're looking at, it's already too late for many kinds of attacks. Hopefully your old 32-bit operating system isn't also unable to get updates to its antivirus software.

share|improve this answer

edited 4 hours ago

answered 22 hours ago

Beanluc

1413

New contributor

Beanluc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
4
down vote

Browser updates include updates to certificate authority data and indeed its very own certificate. Both of those things have expiration dates and there are many websites which can't be accessed at all by too-old browsers because the SSL certificate can't be verified by that too-old browser OR that too-old browser can't verify its own cert to the remote server. So even if you don't care about security, you might care about the access and functionality which security-validation achieves for you.

What's more, by the time you "smell" the fishiness of a website you're looking at, it's already too late for many kinds of attacks. Hopefully your old 32-bit operating system isn't also unable to get updates to its antivirus software.

share|improve this answer

edited 4 hours ago

answered 22 hours ago

Beanluc

1413

New contributor

Beanluc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
4
down vote

up vote
4
down vote

Browser updates include updates to certificate authority data and indeed its very own certificate. Both of those things have expiration dates and there are many websites which can't be accessed at all by too-old browsers because the SSL certificate can't be verified by that too-old browser OR that too-old browser can't verify its own cert to the remote server. So even if you don't care about security, you might care about the access and functionality which security-validation achieves for you.

What's more, by the time you "smell" the fishiness of a website you're looking at, it's already too late for many kinds of attacks. Hopefully your old 32-bit operating system isn't also unable to get updates to its antivirus software.

share|improve this answer

edited 4 hours ago

answered 22 hours ago

Beanluc

1413

New contributor

Beanluc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Browser updates include updates to certificate authority data and indeed its very own certificate. Both of those things have expiration dates and there are many websites which can't be accessed at all by too-old browsers because the SSL certificate can't be verified by that too-old browser OR that too-old browser can't verify its own cert to the remote server. So even if you don't care about security, you might care about the access and functionality which security-validation achieves for you.

What's more, by the time you "smell" the fishiness of a website you're looking at, it's already too late for many kinds of attacks. Hopefully your old 32-bit operating system isn't also unable to get updates to its antivirus software.

share|improve this answer

edited 4 hours ago

answered 22 hours ago

Beanluc

1413

New contributor

Beanluc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

share|improve this answer

edited 4 hours ago

edited 4 hours ago

edited 4 hours ago

answered 22 hours ago

Beanluc

1413

New contributor

Beanluc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 22 hours ago

Beanluc

1413

answered 22 hours ago

Beanluc

1413

1413

New contributor

Beanluc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Beanluc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Beanluc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

up vote
2
down vote

As an addition to the excellent points in other answers:

Is your 32-bit software still regularly updated or is it a deprecated old version?

Once any piece of internet connected software stops receiving new security fixes, it becomes susceptible to every new bug or hack thereafter.

share|improve this answer

answered yesterday

DoritoStyle

1317

New contributor

DoritoStyle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, Windows 7 is updated regularly. Is it compensate enough for an old browser?
  – Ooker
  17 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I mean ALL 32 bit software, including all software that is installed on the 32 bit OS, not just Windows.
  – DoritoStyle
  6 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  yes, most of them are still supported. But why the need? They don't connect to the internet. Maybe there is a chance that I accidentally open an infected file, but why can't Windows Defender detect it?
  – Ooker
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My answer specifies "internet connected software", but to be realistic,. any software on an internet connected computer is vulnerable, whether or not it connects to the net itself.
  – DoritoStyle
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Ooker to expand on that, a compromised piece of software can sometimes allow an attacker to gain full root/admin access to the machine, so at that point even the OS is compromised until that bug is patched. You're not just trusting Microsoft here, your trusting every 2-bit software vendor providing outdated software.
  – DoritoStyle
  5 hours ago
  
  

  
  
  
  

add a comment | 

up vote
2
down vote

As an addition to the excellent points in other answers:

Is your 32-bit software still regularly updated or is it a deprecated old version?

Once any piece of internet connected software stops receiving new security fixes, it becomes susceptible to every new bug or hack thereafter.

share|improve this answer

answered yesterday

DoritoStyle

1317

New contributor

DoritoStyle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, Windows 7 is updated regularly. Is it compensate enough for an old browser?
  – Ooker
  17 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I mean ALL 32 bit software, including all software that is installed on the 32 bit OS, not just Windows.
  – DoritoStyle
  6 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  yes, most of them are still supported. But why the need? They don't connect to the internet. Maybe there is a chance that I accidentally open an infected file, but why can't Windows Defender detect it?
  – Ooker
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My answer specifies "internet connected software", but to be realistic,. any software on an internet connected computer is vulnerable, whether or not it connects to the net itself.
  – DoritoStyle
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Ooker to expand on that, a compromised piece of software can sometimes allow an attacker to gain full root/admin access to the machine, so at that point even the OS is compromised until that bug is patched. You're not just trusting Microsoft here, your trusting every 2-bit software vendor providing outdated software.
  – DoritoStyle
  5 hours ago
  
  

  
  
  
  

add a comment | 

up vote
2
down vote

up vote
2
down vote

As an addition to the excellent points in other answers:

Is your 32-bit software still regularly updated or is it a deprecated old version?

Once any piece of internet connected software stops receiving new security fixes, it becomes susceptible to every new bug or hack thereafter.

share|improve this answer

answered yesterday

DoritoStyle

1317

New contributor

DoritoStyle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

As an addition to the excellent points in other answers:

Is your 32-bit software still regularly updated or is it a deprecated old version?

Once any piece of internet connected software stops receiving new security fixes, it becomes susceptible to every new bug or hack thereafter.

share|improve this answer

answered yesterday

DoritoStyle

1317

New contributor

DoritoStyle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

share|improve this answer

answered yesterday

DoritoStyle

1317

New contributor

DoritoStyle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered yesterday

DoritoStyle

1317

answered yesterday

DoritoStyle

1317

1317

New contributor

DoritoStyle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

DoritoStyle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

DoritoStyle is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, Windows 7 is updated regularly. Is it compensate enough for an old browser?
  – Ooker
  17 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I mean ALL 32 bit software, including all software that is installed on the 32 bit OS, not just Windows.
  – DoritoStyle
  6 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  yes, most of them are still supported. But why the need? They don't connect to the internet. Maybe there is a chance that I accidentally open an infected file, but why can't Windows Defender detect it?
  – Ooker
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My answer specifies "internet connected software", but to be realistic,. any software on an internet connected computer is vulnerable, whether or not it connects to the net itself.
  – DoritoStyle
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Ooker to expand on that, a compromised piece of software can sometimes allow an attacker to gain full root/admin access to the machine, so at that point even the OS is compromised until that bug is patched. You're not just trusting Microsoft here, your trusting every 2-bit software vendor providing outdated software.
  – DoritoStyle
  5 hours ago
  
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Yes, Windows 7 is updated regularly. Is it compensate enough for an old browser?
  – Ooker
  17 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  I mean ALL 32 bit software, including all software that is installed on the 32 bit OS, not just Windows.
  – DoritoStyle
  6 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  yes, most of them are still supported. But why the need? They don't connect to the internet. Maybe there is a chance that I accidentally open an infected file, but why can't Windows Defender detect it?
  – Ooker
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  My answer specifies "internet connected software", but to be realistic,. any software on an internet connected computer is vulnerable, whether or not it connects to the net itself.
  – DoritoStyle
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Ooker to expand on that, a compromised piece of software can sometimes allow an attacker to gain full root/admin access to the machine, so at that point even the OS is compromised until that bug is patched. You're not just trusting Microsoft here, your trusting every 2-bit software vendor providing outdated software.
  – DoritoStyle
  5 hours ago
  
  

  
  
  
  

Yes, Windows 7 is updated regularly. Is it compensate enough for an old browser?
– Ooker
17 hours ago

Yes, Windows 7 is updated regularly. Is it compensate enough for an old browser?
– Ooker
17 hours ago

1

1

I mean ALL 32 bit software, including all software that is installed on the 32 bit OS, not just Windows.
– DoritoStyle
6 hours ago

I mean ALL 32 bit software, including all software that is installed on the 32 bit OS, not just Windows.
– DoritoStyle
6 hours ago

yes, most of them are still supported. But why the need? They don't connect to the internet. Maybe there is a chance that I accidentally open an infected file, but why can't Windows Defender detect it?
– Ooker
5 hours ago

yes, most of them are still supported. But why the need? They don't connect to the internet. Maybe there is a chance that I accidentally open an infected file, but why can't Windows Defender detect it?
– Ooker
5 hours ago

My answer specifies "internet connected software", but to be realistic,. any software on an internet connected computer is vulnerable, whether or not it connects to the net itself.
– DoritoStyle
5 hours ago

My answer specifies "internet connected software", but to be realistic,. any software on an internet connected computer is vulnerable, whether or not it connects to the net itself.
– DoritoStyle
5 hours ago

@Ooker to expand on that, a compromised piece of software can sometimes allow an attacker to gain full root/admin access to the machine, so at that point even the OS is compromised until that bug is patched. You're not just trusting Microsoft here, your trusting every 2-bit software vendor providing outdated software.
– DoritoStyle
5 hours ago

@Ooker to expand on that, a compromised piece of software can sometimes allow an attacker to gain full root/admin access to the machine, so at that point even the OS is compromised until that bug is patched. You're not just trusting Microsoft here, your trusting every 2-bit software vendor providing outdated software.
– DoritoStyle
5 hours ago

add a comment | 

up vote
2
down vote

You should care about security if you care about security.

If you care enough to say things like "I can smell fishy websites" or "Most of the websites I visit have SSL certificates," then you do care about security.

Attacks are out there. Period. Let's not fool ourselves. Let's not pretend we're immune. Take Stuxnet. Stuxnet is credited with destroying up to 1000 centrifuges used for enriching nuclear fuel in Iran. That's hundreds of millions of dollars in damage, at the very least. Practically speaking, a good risk assessment from the country's perspective would be even more dire.

You feel invincible because you visit sites with SSL certificates? The computers Stuxnet hit were air gapped. There was no wire going between the internet and the computers that got infected. They still got infected.

So the real question is not "am I safe?" You're not. The real question is are you safe enough. Is it worth spending some number of dollars and some number of hours to upgrade? That's a balance question. That's much more useful.

Here's a test. Log into your computer. Log into a few sites you care about. Now hand me your computer. I'm going to walk away with it. How do you feel? How nervous are you that I have your data? If all you have is a harddrive full of cute kitten pictures, then you are probably going to be more angry that I walked off with your laptop. Laptops are expensive to replace. But if you've got your banking credentials on that computer, you're probably going to be more worried about what I can do with those. Is your SSN on that computer?

Once you understand how much damage can be done, versus the cost of preventing the damage, you can make a judgement call.

share|improve this answer

answered yesterday

Cort Ammon

6,30731820

add a comment | 

up vote
2
down vote

You should care about security if you care about security.

If you care enough to say things like "I can smell fishy websites" or "Most of the websites I visit have SSL certificates," then you do care about security.

Attacks are out there. Period. Let's not fool ourselves. Let's not pretend we're immune. Take Stuxnet. Stuxnet is credited with destroying up to 1000 centrifuges used for enriching nuclear fuel in Iran. That's hundreds of millions of dollars in damage, at the very least. Practically speaking, a good risk assessment from the country's perspective would be even more dire.

You feel invincible because you visit sites with SSL certificates? The computers Stuxnet hit were air gapped. There was no wire going between the internet and the computers that got infected. They still got infected.

So the real question is not "am I safe?" You're not. The real question is are you safe enough. Is it worth spending some number of dollars and some number of hours to upgrade? That's a balance question. That's much more useful.

Here's a test. Log into your computer. Log into a few sites you care about. Now hand me your computer. I'm going to walk away with it. How do you feel? How nervous are you that I have your data? If all you have is a harddrive full of cute kitten pictures, then you are probably going to be more angry that I walked off with your laptop. Laptops are expensive to replace. But if you've got your banking credentials on that computer, you're probably going to be more worried about what I can do with those. Is your SSN on that computer?

Once you understand how much damage can be done, versus the cost of preventing the damage, you can make a judgement call.

share|improve this answer

answered yesterday

Cort Ammon

6,30731820

add a comment | 

up vote
2
down vote

up vote
2
down vote

You should care about security if you care about security.

If you care enough to say things like "I can smell fishy websites" or "Most of the websites I visit have SSL certificates," then you do care about security.

Attacks are out there. Period. Let's not fool ourselves. Let's not pretend we're immune. Take Stuxnet. Stuxnet is credited with destroying up to 1000 centrifuges used for enriching nuclear fuel in Iran. That's hundreds of millions of dollars in damage, at the very least. Practically speaking, a good risk assessment from the country's perspective would be even more dire.

You feel invincible because you visit sites with SSL certificates? The computers Stuxnet hit were air gapped. There was no wire going between the internet and the computers that got infected. They still got infected.

So the real question is not "am I safe?" You're not. The real question is are you safe enough. Is it worth spending some number of dollars and some number of hours to upgrade? That's a balance question. That's much more useful.

Here's a test. Log into your computer. Log into a few sites you care about. Now hand me your computer. I'm going to walk away with it. How do you feel? How nervous are you that I have your data? If all you have is a harddrive full of cute kitten pictures, then you are probably going to be more angry that I walked off with your laptop. Laptops are expensive to replace. But if you've got your banking credentials on that computer, you're probably going to be more worried about what I can do with those. Is your SSN on that computer?

Once you understand how much damage can be done, versus the cost of preventing the damage, you can make a judgement call.

share|improve this answer

answered yesterday

Cort Ammon

6,30731820

You should care about security if you care about security.

If you care enough to say things like "I can smell fishy websites" or "Most of the websites I visit have SSL certificates," then you do care about security.

Attacks are out there. Period. Let's not fool ourselves. Let's not pretend we're immune. Take Stuxnet. Stuxnet is credited with destroying up to 1000 centrifuges used for enriching nuclear fuel in Iran. That's hundreds of millions of dollars in damage, at the very least. Practically speaking, a good risk assessment from the country's perspective would be even more dire.

You feel invincible because you visit sites with SSL certificates? The computers Stuxnet hit were air gapped. There was no wire going between the internet and the computers that got infected. They still got infected.

So the real question is not "am I safe?" You're not. The real question is are you safe enough. Is it worth spending some number of dollars and some number of hours to upgrade? That's a balance question. That's much more useful.

Here's a test. Log into your computer. Log into a few sites you care about. Now hand me your computer. I'm going to walk away with it. How do you feel? How nervous are you that I have your data? If all you have is a harddrive full of cute kitten pictures, then you are probably going to be more angry that I walked off with your laptop. Laptops are expensive to replace. But if you've got your banking credentials on that computer, you're probably going to be more worried about what I can do with those. Is your SSN on that computer?

Once you understand how much damage can be done, versus the cost of preventing the damage, you can make a judgement call.

share|improve this answer

answered yesterday

Cort Ammon

6,30731820

share|improve this answer

share|improve this answer

answered yesterday

Cort Ammon

6,30731820

answered yesterday

Cort Ammon

6,30731820

answered yesterday

Cort Ammon

6,30731820

6,30731820

add a comment | 

add a comment | 

up vote
0
down vote

Since nobody pointed this out yet:

Anti virus software is way less useful than you think. In fact, if you ask security professionals, the main recommendation to stay safe will be to update all your software, above the recommendation to run an AntiVirus - so exactly what you're planning not to do.

Why? All that anti virus software does is stop known, old pandemics. However, most successful widespread attacks simply create new viruses and use the time window until anti virus software is updated to spread. Anti virus software is no magic bullet, it only detects what it knows (there is behavior detection but it isn't very effective for any of the AV software out there) so against new attacks, it only helps to have less intrusion opportunities. And by far the cheapest intrusion opportunity for attackers is an outdated browser or core system.

So yes, it is vital that your browser is up-to-date if you care about any of the data on your computer at all. Whether you have an Anti Virus is actually kind of unimportant - it does help a little, but it won't save you against most new attacks if your browser or core system are outdated.

Side note: this might be different if you run a browser sandboxed. However, unless you know that is what you're doing, you're most likely not doing it. And I'm not sure for 32bit, any of the common sandboxing solutions like UWP/Windows App Store is supported at all. Also, in that case websites might still be able to steal data from all other open websites, including your banking website tab. So that's hardly ideal.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

J. T.

11

New contributor

J. T. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
0
down vote

Since nobody pointed this out yet:

Anti virus software is way less useful than you think. In fact, if you ask security professionals, the main recommendation to stay safe will be to update all your software, above the recommendation to run an AntiVirus - so exactly what you're planning not to do.

Why? All that anti virus software does is stop known, old pandemics. However, most successful widespread attacks simply create new viruses and use the time window until anti virus software is updated to spread. Anti virus software is no magic bullet, it only detects what it knows (there is behavior detection but it isn't very effective for any of the AV software out there) so against new attacks, it only helps to have less intrusion opportunities. And by far the cheapest intrusion opportunity for attackers is an outdated browser or core system.

So yes, it is vital that your browser is up-to-date if you care about any of the data on your computer at all. Whether you have an Anti Virus is actually kind of unimportant - it does help a little, but it won't save you against most new attacks if your browser or core system are outdated.

Side note: this might be different if you run a browser sandboxed. However, unless you know that is what you're doing, you're most likely not doing it. And I'm not sure for 32bit, any of the common sandboxing solutions like UWP/Windows App Store is supported at all. Also, in that case websites might still be able to steal data from all other open websites, including your banking website tab. So that's hardly ideal.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

J. T.

11

New contributor

J. T. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
0
down vote

up vote
0
down vote

Since nobody pointed this out yet:

Anti virus software is way less useful than you think. In fact, if you ask security professionals, the main recommendation to stay safe will be to update all your software, above the recommendation to run an AntiVirus - so exactly what you're planning not to do.

Why? All that anti virus software does is stop known, old pandemics. However, most successful widespread attacks simply create new viruses and use the time window until anti virus software is updated to spread. Anti virus software is no magic bullet, it only detects what it knows (there is behavior detection but it isn't very effective for any of the AV software out there) so against new attacks, it only helps to have less intrusion opportunities. And by far the cheapest intrusion opportunity for attackers is an outdated browser or core system.

So yes, it is vital that your browser is up-to-date if you care about any of the data on your computer at all. Whether you have an Anti Virus is actually kind of unimportant - it does help a little, but it won't save you against most new attacks if your browser or core system are outdated.

Side note: this might be different if you run a browser sandboxed. However, unless you know that is what you're doing, you're most likely not doing it. And I'm not sure for 32bit, any of the common sandboxing solutions like UWP/Windows App Store is supported at all. Also, in that case websites might still be able to steal data from all other open websites, including your banking website tab. So that's hardly ideal.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

J. T.

11

New contributor

J. T. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Since nobody pointed this out yet:

Anti virus software is way less useful than you think. In fact, if you ask security professionals, the main recommendation to stay safe will be to update all your software, above the recommendation to run an AntiVirus - so exactly what you're planning not to do.

Why? All that anti virus software does is stop known, old pandemics. However, most successful widespread attacks simply create new viruses and use the time window until anti virus software is updated to spread. Anti virus software is no magic bullet, it only detects what it knows (there is behavior detection but it isn't very effective for any of the AV software out there) so against new attacks, it only helps to have less intrusion opportunities. And by far the cheapest intrusion opportunity for attackers is an outdated browser or core system.

So yes, it is vital that your browser is up-to-date if you care about any of the data on your computer at all. Whether you have an Anti Virus is actually kind of unimportant - it does help a little, but it won't save you against most new attacks if your browser or core system are outdated.

Side note: this might be different if you run a browser sandboxed. However, unless you know that is what you're doing, you're most likely not doing it. And I'm not sure for 32bit, any of the common sandboxing solutions like UWP/Windows App Store is supported at all. Also, in that case websites might still be able to steal data from all other open websites, including your banking website tab. So that's hardly ideal.

share|improve this answer

edited 2 hours ago

answered 2 hours ago

J. T.

11

New contributor

J. T. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

share|improve this answer

edited 2 hours ago

edited 2 hours ago

edited 2 hours ago

answered 2 hours ago

J. T.

11

New contributor

J. T. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 2 hours ago

J. T.

11

answered 2 hours ago

J. T.

11

11

New contributor

J. T. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

J. T. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

J. T. is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194345%2fwhy-should-a-browsers-security-be-prioritized%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email