Skip to main content

Topic: Security? (Read 3153 times)

  • Wanderlei
  • [*]
Security?
I was wondering how cautious we should be using Otter browser? Should we just use it for general browsing and avoid using any credential online with it? Or should we just avoid things like online banking etc?

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: Security?
Reply #1
I assume it's pretty much as (in)secure as any other QtWebKit-based browser.

  • ersi
  • [*][*][*][*][*]
Re: Security?
Reply #2

I assume it's pretty much as (in)secure as any other QtWebKit-based browser.

Cookie settings, referrer settings, and proxy settings can make quite a difference.

On the cookies front, I would like to see the ability to block all cookies and then allow them for specific sites when browsing - like in Opera. The relevant settings in the configuration dialogue imply that this is planned, but not implemented yet.

On the referrer front, I'd like to see more options, not just yes or no to referrer, but it's good enough for the time being.

Plaintext adblock lists are also a great security option to have, when they ensure that there will be no connections to the blacklisted addresses.

  • krake
  • [*][*][*][*][*]
Re: Security?
Reply #3


I assume it's pretty much as (in)secure as any other QtWebKit-based browser.

Cookie settings, referrer settings, and proxy settings can make quite a difference.

The above settings are privacy and not security related.
And since you have mentioned proxies - network settings are so poor (as any other WebKit-based browser) so it's impossible to properly configure the browser to work with a proxy.

  • ersi
  • [*][*][*][*][*]
Re: Security?
Reply #4



I assume it's pretty much as (in)secure as any other QtWebKit-based browser.

Cookie settings, referrer settings, and proxy settings can make quite a difference.

The above settings are privacy and not security related.

What is the difference between privacy and security then? SSL? HTTPS? What's going into the web from browser's cache, history and address bar?

I guess you are saying that when the engine is chosen, then everything security-related is settled and cannot be improved. Only privacy things can, right?

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: Security?
Reply #5
What is the difference between privacy and security then? SSL? HTTPS?

Stuff like that (encryption) and certificate chains, I suppose. Or at least that's what under "security" in Opera's preferences.

  • krake
  • [*][*][*][*][*]
Re: Security?
Reply #6

What is the difference between privacy and security then?

That's something you could find out by yourself :)  In the meanwhile you could also ask yourself why to use different notions if they are the same thing.
BTW, can you tell me how a text file or a referrer can have an impact on security?


SSL? HTTPS?

Encryption (SSL) is security related while HTTPS is the name of the protocol.
(Frenzie was quicker :) )


I guess you are saying that when the engine is chosen, then everything security-related is settled and cannot be improved. Only privacy things can, right?

Nope. This would be silly.
What I'm trying to say is that developing and maintaining a browser is costly and needs qualified manpower. Enthusiasm alone doesn't suffice. That's why we are left with only very few browsers and dozens of their deviants inheriting their shortcomings and security holes.

  • ersi
  • [*][*][*][*][*]
Re: Security?
Reply #7


What is the difference between privacy and security then?

That's something you could find out by yourself :)  In the meanwhile you could also ask yourself why to use different notions if they are the same thing.

Their usage overlaps to a considerable degree. That's why I am asking. We have to define these things for ourselves each and every time, because everybody understands it differently.



SSL? HTTPS?

Encryption (SSL) is security related while HTTPS is the name of the protocol.

I know what they are (a little). The question is which one is security, which one is privacy, and why.


What I'm trying to say is that developing and maintaining a browser is costly and needs qualified manpower. Enthusiasm alone doesn't suffice. That's why we are left with only very few browsers and dozens of their deviants inheriting their shortcomings and security holes.

This I can agree with, except for the qualified manpower bit. Given what kind of people pose as internet security experts in the media, I strongly doubt anyone is qualified in this area.

  • krake
  • [*][*][*][*][*]
Re: Security?
Reply #8

I know what they are (a little). The question is which one is security, which one is privacy, and why.

As I already told you, encryption (SSL) is security related while HTTPS is the according protocol (secure connection)
If your bank PIN and PW would be transmitted in plain text and the traffic sniffed then you could encounter some problems.
Encryption of emails or any other data on your HD is also security related.

Google (and other search engines) are advertising a secure connection for protecting your privacy - your searches are private, nobody knows what you are searching for :lol:
Aside the fact that I couldn't care less if my search queries are transmitted in plain text, I also find it ridiculous when a company like Google is playing the role of a privacy guard. Last but not least such  assertions make little sense.
Let me explain you why:
What are search requests and search engines meant for? To find something you are interested into. You will have to visit the sites your search results will show up. Otherwise it makes no sense to search. As soon as you visit the site at least two parties will log your IP, your ISP and the server you are visiting. Maybe even more parties will log your IP - like the NSA or/and your local three letter agency  :P
Things might look better if you combine an anonymising proxy over SOCKS. However in this case it's only the combination of a proxy server and a secure connection which might ensure your privacy.
  • Last Edit: 2014-08-07, 23:05:49 by krake

  • ersi
  • [*][*][*][*][*]
Re: Security?
Reply #9

If your bank PIN and PW would be transmitted in plain text and the traffic sniffed then you could encounter some problems.

Is it the browser that determines if plain text is transmitted or is it the bank website's job to have control over what's being typed in there?


Encryption of emails or any other data on your HD is also security related.

The sender (me) encrypts the message, sends the encrypted message, and the receiver decrypts it. Who encrypts at what stage in browsers? What can a browser do here?

What I have heard about browsers is things like leaking history and leaking address bar. These sound like things that a browser developer could manage, regardless of browser engine.


Google (and other search engines) are advertising a secure connection for protecting your privacy - your searches are private, nobody knows what you are searching for :lol:

This is what I mean. "Security" and "privacy" are used so often together that it's certain that even experts don't keep them apart very well. "Security and privacy" sound to me like "terms and conditions" (which ones are the terms and which ones are the conditions?) or "preferences, options, and configuration".

  • Frenzie
  • [*][*][*][*][*]
  • Administrator
Re: Security?
Reply #10
Is it the browser that determines if plain text is transmitted or is it the bank website's job to have control over what's being typed in there?

I'd say it's the bank's job. If the connection to the browser can't be made sufficiently secure because of outdated encryption methods I think they should probably just say "sorry, you're out of luck" as opposed to falling back to some easily cracked encryption. Or possibly give you the choice to continue anyway if they think it'll annoy customers too much otherwise.

This is what I mean. "Security" and "privacy" are used so often together that it's certain that even experts don't keep them apart very well. "Security and privacy" sound to me like "terms and conditions" (which ones are the terms and which ones are the conditions?) or "preferences, options, and configuration".

Security is to make sure third-parties can't intercept your connection. Or, probably more important, to make sure they can't inject what is sent to you with nasty things. This has privacy as a side-effect. They're definitely intertwined, but I don't think it's as muddled as you say.

With cookies, I'd present it something like this: cookies are in principle privacy-related only, but leaking cookies when you're on another website would be a security problem: a security issue that affects your privacy.

  • krake
  • [*][*][*][*][*]
Re: Security?
Reply #11

The sender (me) encrypts the message, sends the encrypted message, and the receiver decrypts it. Who encrypts at what stage in browsers?

Forget about the browser, even if you are using a 'suite'. It's the built in mail/encryption modul doing the job.
It's basically not the browser who encrypts but part of the built in email modul or at least the coresponding code.
As for how email encryption and protocols for email encryption are exactly working you can find informations on the web which are more in-depth as I could explain.


What I have heard about browsers is things like leaking history and leaking address bar. These sound like things that a browser developer could manage, regardless of browser engine.

You mean probably the cascading style sheets history leak. Not an easy fix without breaking key web functionality. Mozilla promised a fix years ago. I'm not aware if it got fixed.
Some fixes are difficult or costs are considered to be not worth the benefit.
As for browser developers, there are just a few browsers left. I wouldn't consider the makers of their deviants "browser developers" ;)
BTW, the cascading style sheets history leak isn't of big concern for me. Besides you can configure the browser (at cost of some convenience) to circumvent the leak.


  • Emdek
  • [*][*][*][*][*]
  • Moderator
Re: Security?
Reply #12
@krake, we all know that the best solution would be to simply fork some existing engine but that is simply too big task, at least for now.
Maintaining it would be big pain itself (updating from upstream and hoping that they won't remove some API / feature that we are using - all three biggest vendors do that - Apple, Google and Mozilla), and packagers wouldn't be happy too, as compilation would went from few minutes to many hours, from slightly noticeable use of RAM while building to up to few gigabytes (not everybody has dedicated machine for compiling).

We can reevaluate this in future, but for now it not an option, we have to use what is available.
Nadszedł już czas, najwyższy czas, nienawiść zniszczyć w sobie.
The time has come, the high time, to destroy hatred in oneself.