A key feature of modern browsers can also decrease the safety and security of your web browsing. Tabbed browsing, or browsing with multiple open windows, can lead to your logins to websites being compromised.
An attack vector used to do this is known as cross-site request forgery, abbreviated as CSRF (pronounced “sea surf”). It is just one of several ways to steal your information. The recommendations in this article will help protect you against many of these attack vectors.
Why should you care? Because if you bank online, shop online, use a web-based mail service, or post anything about yourself online, you could easily fall victim to this silent attack.
Don’t have multiple browser windows or tabs open when you log into a
website, because your authentication details can be stolen and used to
impersonate you. Log in over HTTPS whenever possible, because it
encrypts the data between your computer and the website. Clean your
cookies, and log out when you’re done.
Let’s say you do your banking online, and your bank’s website creates a cookie on your computer. Let’s say that cookie holds your authentication information.
If you browse to another website before the cookie is deleted or
before it expires, the cookie contents (your authentication
information) can be stolen.
How? If your cookie is still present when you go to another website, a specially crafted element on that other website’s page can cause your browser to issue an authenticated request to your bank…even though you didn’t initiate or authorize the transaction.
Obviously, this could be very bad in the case of financial transactions. This attack vector could also be use to gather intelligence on your identity, which could then be used to build a profile about you.
If you’re interested in the details of CSRF attacks, these four links will give you a good foundation for deeper understanding:
Today, the information I want to share is how to protect yourself from falling victim to a CSRF attack.
Protecting yourself requires surfing the web differently. If you enjoy having multiple tabs or windows open while you browse, it may be difficult to break that habit.
Ready? Have only one browser tab or window open when you are logging into a website.
Log out when you are done, and before you visit any other websites or visit any chats.
Even better would be to delete your cookies after logging out.
We also encourage you to use SSL-encrypted sessions whenever possible for logging into websites. Frankly, if a website doesn’t provide a secure login, we don’t log into it…period. You can tell if it is an SSL-enabled website by making sure the URL starts with https:// and making sure there is a padlock icon in the task bar or URL field.
The solution is simple and costs you nothing…except a change in behavior:
- Only one tab or window open while you log in and use a website that requires authentication.
- Clean your cookies.
- Use HTTPS sessions.
- Log out when you’re done.