Isolated browser sessions: not so safe after all

[Thrawn]

Tommy Turtle would have been quite perturbed to learn that an active attacker can compromise even a clean browser session, logged into nothing but your bank:

Owning the paranoid: Browser background traffic

Defences include:

• Force HTTPS on the sensitive site (at least for cookies, ideally for whole site).
• Disable all non-HTTPS traffic, by setting the relevant proxy settings to an invalid value.

[Hecuba's daughter]

To be fair to the basic user, this is just one more reason for not using a network whose security you aren't confident in. Surely?

If that way of subverting the background insecure traffic is similar (as I read it) to sending 302s for traffic begun by the user specifically entering a request in a separate browser instance in the same session, where non-https traffic happens, ie 'surfjacking', then a secure VPN to subvert sniffing is yet another layer of protection to add to your other recommendations, but it matters little how many instances of Firefox are open.
However, for the careful browser interested in layers of protection, surely one can only trust the webmaster of a site just so far, in which case every layer of defence, including only being logged to a single site when sensitive data is involved - to obviate session riding in some manner by another website, is helpful. Not that I don't completely trust NS to prevent XSS and CSRF etc, but I don't completely trust the automatic functions of the Moz update machine to leave my addons untouched at any single update episode plus I don't trust myself to reliably prevent corruption of my Firefox install from all causes; it's happened to me once that NS load-on-start was corrupted by a EDIT: Firefox version update and I'd been navigating with a couple of windows open before the third one opened with all active content blazing and I realised that NS wasn't running.

So I still think it's a good use of Firefox with NS to only open a single instance when running a secure session, independent of how secure your network may be from sniffing.

[Thrawn]

To be fair to the basic user, this is just one more reason for not using a network whose security you aren't confident in. Surely?

OK, but people will still use free WiFi. Because it is free, after all.

Not that I don't completely trust NS to prevent XSS and CSRF etc,

Well, when we're talking about an insecure network, you shouldn't trust NS to completely protect you, because an active attacker on the network can impersonate any plaintext site on your whitelist. Browser sends OCSP request, attacker responds with redirect to http://www.bank.com, browser requests bank.com via plaintext, attacker impersonates bank.com.

Forcing HTTPS is the only real defence here.

[Hecuba's daughter]

Well, when we're talking about an insecure network

That's sort of what I was trying to do.
I think I've understood you, that the reason relied on by many security advices for a single browser instance was to limit any non secure traffic from any other instances in the same session being able to "surfjack" insecure cookies by sniffing. And that the 2010 article points out that there's plenty insecure traffic going on behind the scenes anyway, so a single https window isn't a good enough protection on an insecure network. Unless, as you emphasise, you have strict https for everything.

But I still think a single window is also worth keeping as one of a layer of security defences, even if you completely trust the network you're using prevents sniffing - or any kind of traffic interception, because another web page, not anyone redirecting traffic, can be used in a CSRF/XSS kind of attack - ie, web page to web page - which NS protects against......... unless for some reason, such as corrupted Moz profile or system, NS doesn't load and protect a session.
In other words, maybe Tom T would be swearing, but not weeping?

Do I understand you, and am I barking up the wrong tree anyway?

[Thrawn]

You *can* use separate browser sessions as an extra layer of defence, but I wouldn't bother, since it's clearly fallible. You're probably better off with the following:

• Log out of sites as soon as possible (I personally love the Self-Destructing Cookies addon);
• Force HTTPS as much as you can stomach (eg HTTPS Finder, HTTPS Everywhere, or HTTP Nowhere if you're really keen);
• Filter cross-site requests with ABE or RequestPolicy;
• If you really want a separate session, create a second profile and launch it simultaneously using the -no-remote flag.