Experience with free cloud services to check the level of security of web browsers at home and in organizations
Good afternoon friends.
I want to share some experience with free solutions for checking the security of web browsers in organizations and at home.
Recently, my colleagues were faced with the task of verifying the security of client web browsers and we decided to try how to solve this problem quickly, with minimal investment and efficiently. On the Internet, we were able to find the following free services for checking browsers:
The description of the work of these services on the Internet in sufficient quantity and I will not describe the step-by-step instructions for working with them.
But I want to share the results of the work of these services with different browsers, the difference in functionality and features of work. Since Since these services are currently developing rapidly, I can evaluate their work at the time of testing.
Auditing is available for checking the browser without installing additional plug-ins, but for the Chrome browser it is possible to install the plug-in in Crome webstore. By the way, when installing the surfpatrol plugin on Crome, I opened the link of the online store Crome to manually install the plugin. The work of this plugin was a bit disappointing. audit results with and without it. I was also surprised by the result of the service with IE 9. On different testing days (within 1 week) in the first report I was recommended to use InPrivate mode, in the second report I was recommended to update the browser by running Windows Update. Nothing was said about the InPrivate mode in the second report. Also for some reason, the report showed the version of the installed MS Office 2010 package.
')
Positive aspects of the service:
Negative sides of the service:
Within 1 year, when I first saw this service, the experts had done a lot and I like it. And I like that this service is developing and improving.
Qualys has been offering this service for quite some time, and this is already a serious tool that has been licked and worked very seriously.
From the features of its use I want to highlight the fact that it is available with the installed plug-in for the browser and without it. Supported installation of plug-ins on Crome, IE and Firefox. When you run a validation audit, all installed and supported browsers are audited at once. Those. when you start the service in Crome, it is checked immediately and installed IE, without starting it. The same service checked the OS update level, the work of the antivirus and the firewall.
Special thanks to the service for informative reports. Firstly, this is the separation of all checked plug-ins into 3 categories: Insecure Version, Update available and Up To Date. With the status of Insecure Version, you need to follow the link provided right there and update the plugin. The Update available status indicates that your version of the plugin has been updated, but there is already another version of the following order. And secondly, what I have already reported, the report includes a link to the vendor's page for installing a new version of the plug-in / software.
I want to mention the process of installing the plugin on the browser Crome. It is installed only after I agree with the use of it and it happens in a mode invisible to the user. Those. all automatically.
By the way, the list of defined plugins is quite large and is presented by reference. (https://community.qualys.com/docs/DOC-1542#s2).
At the moment, this is still the best tool for me to check the level of protection of a web browser on desktop PCs.
Positive aspects of the service:
Negative sides of the service:
This service differs from the previously described Qualys service only in that it has the ability to check the level of security in an organization. This is done as follows:
You register on the service page and create your account link to this service only for your organization.
Employees of the organization run this service on their browsers and are audited.
In your account on the service portal, you can see the statistics of the security level of browsers of users of the company. Examples of reports can be seen at the link www.penetrationtest.ru/mikro-blog/nikitenko-aleksey/analitika-bezopasnosti-brauzerov
In terms of functionality and the presence of pluses / minuses, everything is the same as in Qualys BrowserCheck.
As a result, in projects and at home I use Qualys BrowserCheck. But I also track changes in Surfpatrol.
I hope that this text will be useful for someone.
I want to share some experience with free solutions for checking the security of web browsers in organizations and at home.
Recently, my colleagues were faced with the task of verifying the security of client web browsers and we decided to try how to solve this problem quickly, with minimal investment and efficiently. On the Internet, we were able to find the following free services for checking browsers:
- Surfpatrol (from Positive Technologies). You can use the link www.surfpatrol.ru
- Qualys BrowserCheck (from Qualys). You can use the link browsercheck.qualys.com
- BrowserCheck Business Edition (from Qualys). Allows you to check the level of security of browsers in companies. You can use the link www.qualys.com/forms/browsercheck-business-edition .
The description of the work of these services on the Internet in sufficient quantity and I will not describe the step-by-step instructions for working with them.
But I want to share the results of the work of these services with different browsers, the difference in functionality and features of work. Since Since these services are currently developing rapidly, I can evaluate their work at the time of testing.
Surfpatrol.
Auditing is available for checking the browser without installing additional plug-ins, but for the Chrome browser it is possible to install the plug-in in Crome webstore. By the way, when installing the surfpatrol plugin on Crome, I opened the link of the online store Crome to manually install the plugin. The work of this plugin was a bit disappointing. audit results with and without it. I was also surprised by the result of the service with IE 9. On different testing days (within 1 week) in the first report I was recommended to use InPrivate mode, in the second report I was recommended to update the browser by running Windows Update. Nothing was said about the InPrivate mode in the second report. Also for some reason, the report showed the version of the installed MS Office 2010 package.
')
Results:
Positive aspects of the service:
- Localization of the interface (but access and English version)
- Identify most plugins in the browser
- Pantophagous omnipotence (launched even on Chrome on Android 4.0.4)
- Free
Negative sides of the service:
- Not all browser plugins could detect. In particular, Quicktime and did not identify in Crome installed 2 different versions of the plug-in Adobe Flash (showed only the latest).
- To test each browser, you need to open the service in each browser.
- Audit reports with and without the Chrome plugin are the same (maybe it was just me)
- Minimum information in the report
- IE browser verification reports differ when there are no changes in the system itself.
Within 1 year, when I first saw this service, the experts had done a lot and I like it. And I like that this service is developing and improving.
Qualys BrowserCheck
Qualys has been offering this service for quite some time, and this is already a serious tool that has been licked and worked very seriously.
From the features of its use I want to highlight the fact that it is available with the installed plug-in for the browser and without it. Supported installation of plug-ins on Crome, IE and Firefox. When you run a validation audit, all installed and supported browsers are audited at once. Those. when you start the service in Crome, it is checked immediately and installed IE, without starting it. The same service checked the OS update level, the work of the antivirus and the firewall.
Special thanks to the service for informative reports. Firstly, this is the separation of all checked plug-ins into 3 categories: Insecure Version, Update available and Up To Date. With the status of Insecure Version, you need to follow the link provided right there and update the plugin. The Update available status indicates that your version of the plugin has been updated, but there is already another version of the following order. And secondly, what I have already reported, the report includes a link to the vendor's page for installing a new version of the plug-in / software.
I want to mention the process of installing the plugin on the browser Crome. It is installed only after I agree with the use of it and it happens in a mode invisible to the user. Those. all automatically.
By the way, the list of defined plugins is quite large and is presented by reference. (https://community.qualys.com/docs/DOC-1542#s2).
At the moment, this is still the best tool for me to check the level of protection of a web browser on desktop PCs.
Results:
Positive aspects of the service:
- Identify all plugins in the browser
- Omnivorous all popular browsers on desktops and laptops
- Free
- A lot of useful information in the report: the path to the location of the library being checked, the version on the host and the vendor, a recommendation, a link to the updated software
- Check all supported browsers at once. At the same time, the basic elements of OS protection
- Detected all AdobeFlash plugins installed on Crome
- Installing the plugin in browsers takes place with minimal movement of the user
- Ability to share the result on Twitter, Facebook and by mail directly from the service page
Negative sides of the service:
- Could not run on Chrome browser on Android 4.0.4 platform
- For some, it may be a minus the lack of localization of the interface (not for me)
BrowserCheck Business Edition
This service differs from the previously described Qualys service only in that it has the ability to check the level of security in an organization. This is done as follows:
You register on the service page and create your account link to this service only for your organization.
Employees of the organization run this service on their browsers and are audited.
In your account on the service portal, you can see the statistics of the security level of browsers of users of the company. Examples of reports can be seen at the link www.penetrationtest.ru/mikro-blog/nikitenko-aleksey/analitika-bezopasnosti-brauzerov
In terms of functionality and the presence of pluses / minuses, everything is the same as in Qualys BrowserCheck.
As a result, in projects and at home I use Qualys BrowserCheck. But I also track changes in Surfpatrol.
I hope that this text will be useful for someone.
Source: https://habr.com/ru/post/152223/
All Articles