Dedicate browser for secure online banking?

wolfv · August 22, 2011, 3:10am

I currently keep a hosts file to make my online banking more secure. But that won�t help in the event of a DNS-cache-poisoning zero-day attack. Is the following solution practical?

Dedicate one browser for secure online banking, and dedicate a different browser for normal browsing of the Internet. The secure browser would be restricted to a whitelist containing only by bank�s IP addresses. Is there a way to restrict IP addresses for just one browser? (hosts file won�t work because it restricts all browsers) The browsers would run on Ubuntu 11.04.

AhnLab Inc sells a dedicated browser specialized for secure online banking: AhnLab - Antivirus Software and Security Solutions Provider
Is there a similar browser in open-source land?

Another option is to boot Linux USB live, with it�s own hosts file: Secure Online Banking with Linux USB Live A legacy of secure solutions by Kingston IronKey - Kingston Technology
I want to investigate the dedicated browser option before I commit to using Linux USB live.

Thank you for your input.

alister · August 22, 2011, 10:38am

Something to keep in mind is that some browsers implement their own dns resolving routines, instead of using the system's. I would assume that they'd consult the host file, but with web browsers being as complex, insecure, and error-prone as they are, one should never take anything for granted.

By the way, does your bank not use HTTPS? If it does, you shouldn't have to worry about dns poisoning. If it doesn't, I'd be more concerned by a man-in-the-middle.

Regards,
Alister

pludi · August 22, 2011, 11:07am

If you want to be absolutely sure that your browser isn't tainted, create a VM for online banking, and disallow any interaction with the host system (shared folders, shared clipboard, ...). Make a known good snapshot of that VM, and restore to that snapshot every time you close it.

But really, there's probably a bigger chance of a well hidden trojan/root kit, or excellently crafted phishing attack, especially if the bank uses SSL. If it doesn't, change banks.

wolfv · August 24, 2011, 1:52am

Alister,
Yes, my bank uses HTTPS. But it is too easy to purchase a digital certificate.

pludi,
I like the VM for online banking idea. I will investigate that.

Rolo · November 21, 2011, 7:32am

Last week, I've found out that Fortress Linux has released a secure Linux OS that is called the "Secure Browsing Edition". It only includes a hardened web browser.

This browser has a smart protection system against evil scripts and cookies. And it seems to be the only browser that forces TLS 1.2/SSL 3.3 encryption, while all the available web browsers in my Ubuntu install only use TLS 1.0, which was cracked recently. (Google for TLS cracked). Besides, I don't trust Ubuntu anymore after my system was infected by a root-kit last week. Rather go for a live system like this one.

I now use the Fortress Linux secure browsing edition to do my online banking and more. It's fast and it has an "Apple" look window manager. It boots in a matter of seconds.

For some reason I cannot post an URL, but their website is:
www fortresslinux org

Maybe someone else could provide the link here.