Sunday, November 29, 2020

Why you should be picky about allowing website notifications

Most websites run on advertisement income. And websites have the ability to create connections to your own computer from other Internet nodes through links, clickable images and push notifications that serve up ads or other content.  

Be wary of which sites you allow to send push notifications to your computer because these can also be used by nefarious entities to deliver fraudulent notifications. Fake notifications can serve up scareware that prompts you to install software to correct a "security risk" or click links to malicious websites that then deliver dangerous payloads to your computer.

Here is an example of an Adweek request, prompting to allow or block notifications:


The top level domain that delivered this prompt is adweek.com, as is visible in the URL.  

If I select Allow, my computer would then be able to receive connections directly from adweek.com servers, completely outside of my browser, and with blanket permission to allow these external connections to my Windows or Mac desktop at any time. 

Another problem that arises from allowing notifications is the potential difficulty you may have in discerning a legitimate notification (generated by your operating system) from a third-party notification. 

For many years it's been a security habit of mine to choose Block on every such request. You can change your selection for each request—depending upon how much you trust the notification delivery domain—or you can configure your web browser to block all such requests. 

To learn how to manage these settings on your preferred browser, use a search engine  like Google to query, for example, "Chrome turn off notifications," or "Firefox block notifications." These settings can be applied to browsers on your smartphone as well.

Last week, Brian Krebs posted an article explaining why you should carefully consider whether to allow or block notifications when prompted. It is definitely worth a quick read. For more information, see Be very spaing in allowing site notifications at https://krebsonsecurity.com/2020/11/be-very-sparing-in-allowing-site-notifications/.


No comments:

Post a Comment