Wednesday 27 April 2016

Midori as a Site-Specific Browser

A Site-Specific Browser (SSB) is a program or application that is dedicated to loading and exploring a single web site.

This allows a user to simply click on an icon and go straight to a web site, often using an interface with minimum functionality.

But my main interest in the SSB approach has more to do with security than ease of use.

In the Linux world that I inhabit, I waddle around the internet using Firefox as my preferred mode of transport. For many years I have used the extension NoScript to provide some kind of protection from the bad guys out there trying to run nasty scripts on my computer.

But there is a problem. I'm not a security expert, and there are not enough hours in the day (or days left in my life) to read and understand all the potential risks that lie in wait for me. Anyway, it is a moving target, with more bad stuff appearing every week, and much of the information on the web becoming out of date as browsers and operating systems are patched.

And the problem with using NoScript is that it stops you doing things. A hundred times a day you have to decide whether to leave scripting disabled on a particular site or risk opening it up.

Hey! I only need to know what time "Line Of Duty" is on!

On some really bad sites (like the Radio Times) I counted over 20 additional sites it would like me to take a decision on. It gets worse, each time you click on a page link, more appear in the list!

Take a bite of my cookie

With NoScript disabled, is cross-site scripting (XSS) still a security risk or has this been eliminated?

Can a 12 year old really steal passwords by examining my cookies?

I don't really know the answers, but cookies appear to be a necessary evil; we want the convenience, but we are not so keen on people spying on us.

If there are any potential risks (now or in the future) I need to minimise them, as I was recently forced to embrace the benefits of Internet Banking.

So with all these rather muddled and wildly inaccurate ideas in mind, I have decided to modify the way I access certain web sites.

If I must open scripting to web sites (and "Allow all this page") and continue to accept cookies from strangers, then I would like to segregate my internet browsing activities.

Not all SSBs are equal

What I have decided to do is create an SSB for each internet site that I would like to remain isolated from other browsing activity. To remain isolated, I cannot use SSB features on browsers like Google Chrome, because I understand that they have one pool of browser files.

But with Midori I can run each instance with a specified path to a separate location. For example, for my SSB for Amazon I use the command:-

midori -c /home/steve/.webapps/.Amazon/midori the cookies and other mysterious stuff saved for Amazon are not accessible when I run another Midori SSB or plain old Midori.

The launcher file for my Amazon SSB is just a modified version of the Midori launcher.

[Desktop Entry]
GenericName=Web Browser
Comment=Lightweight web browser
Exec=midori -c /home/steve/.webapps/.Amazon/midori


I've removed a lot of the language stuff to make it clearer, and just highlighted the more important changes.

The Midori configuration file can be modified if you want to remove interface controls (again, there is a config file for each SSB). For example my: /home/steve/.webapps/.Amazon/midori/config file looks like this:-

toolbar-items =TabNew,Back,Forward,Next,ReloadStop,BookmarkAdd,Location,Search,Trash,
user-agent=Mozilla/5.0 (X11; Linux) AppleWebKit/538.15 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/538.15 Midori/0.5

You can easily add/remove items from the "toolbar-items=" list to change UI appearance. Here is the line/list for my Facebook SSB:-


So now I just have to avoid using Firefox for any site already covered by an SSB. I can visit my home banking sites, and some retail outlets like Amazon via dedicated SSBs. I'll continue using NoScript on Firefox, but not agonise for quite so long about blocking or allowing a particular link.

What could possibly go wrong?

No comments:

Post a Comment