dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
11728

planet
join:2001-11-05
Oz

1 recommendation

planet

Member

Leaving browser open with multiple tabs for extended period

Wondering if people think its a security risk to leave browser open with multiple tabs for an extended period. My daughter tends to do this. She logs onto her school website and begins a lesson. She then closes the laptop which doesn't go to sleep or hibernate, stays on 24/7 while running. The browser stays up with her logged onto the education site and any other sites she might be looking at, sometimes for days. Overall, from what I've read elsewhere, it seems benign unless you are sitting on a malicious site already which could jeopardize the PC immediately.

trparky
Premium Member
join:2000-05-24
Cleveland, OH

trparky

Premium Member

I do that all the time, I've kept Palemoon 15 open for a week straight.

StuartMW
Premium Member
join:2000-08-06

StuartMW to planet

Premium Member

to planet
I don't see a problem either. I usually leave my browser open but on some page that won't automatically refresh. As per trparky See Profile it may be open for a week (all gets shutdown during my weekly full backup).

jack b
Gone Fishing
MVM
join:2000-09-08
Cape Cod

1 recommendation

jack b to planet

MVM

to planet
The only thing about having one or more windows "open" is maybe hogging some system memory, or perhaps using a little bit of bandwidth if it has any auto-refreshing elements.

planet
join:2001-11-05
Oz

planet

Member

Good to know..I'll lay off my daughter and let her leave browser on if she so chooses. Thanks Gentlemen.

trparky
Premium Member
join:2000-05-24
Cleveland, OH

trparky to jack b

Premium Member

to jack b
Well, I have 12 GBs of RAM so it doesn't matter to me. I have a 64-bit OS and a 64-bit browser (Palemoon) so having it open for a week at a time doesn't really hinder browser performance.
nonymous (banned)
join:2003-09-08
Glendale, AZ

nonymous (banned) to planet

Member

to planet
After some length of time my school website will log me out if it is just sitting there. So after awhile most legit sites will log you out and for all intents there will not be a connection anyways just a old unrefreshed screen image of last page on site visited.
They do not have the resources to keep unactive users logged in plus well better security if someone just forgets to log out.

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY
·Charter
Ubee EU2251
Ubiquiti UAP-IW-HD
Ubiquiti UniFi AP-AC-HD

Smith6612 to planet

MVM

to planet
A lot of secure sites should expire the login after a certain amount of time. But no, it's not a problem leaving the browser open all the time. I've left Firefox open for a month before, and yeah, while it leaked a ton of memory during that time it never left a hole that could compromise the machine if it was just sitting there running, not loading up anything new and the system itself was properly secured.

ashrc4
Premium Member
join:2009-02-06
australia

1 recommendation

ashrc4 to planet

Premium Member

to planet
said by planet:

She then closes the laptop which doesn't go to sleep or hibernate, stays on 24/7 while running. The browser stays up with her logged onto the education site and any other sites she might be looking at..........

Physical access by someone nefarious and transporting a running laptop aren't good idea's(.)

trparky
Premium Member
join:2000-05-24
Cleveland, OH

trparky

Premium Member

At least make it so that the computer locks itself behind a password after some time. That way it's somewhat secure.
OZO
Premium Member
join:2003-01-17

OZO to planet

Premium Member

to planet
It depends from the browser and how you run it. For example, one process may run several multi-tab windows simultaneously. From my experience they all may share login info and perhaps are vulnerable to cross-siting scripting malicious attacks, sharing history and other data between opened sites (which is always bad). If I don'[t want it to happen, I make sure that I start IE in a different process and login there. Then close it if I'm done. There are several ways to start IE in separate process. Watch for them in Task Manager (or similar tools). Make two different shortcuts to launch IE in those two modes (same process or different process).

Launching new IE for login in banks, online shops, may be school and other sites should be done using only separate process mode. And it's always recommended to close browser after that...

Not security, but very common issue with IE is - it may leak memory and in a while of sitting in background (presumably doing nothing) it may take 800-900 MiB of memory (critical for my old computer). That forces me to kill it... If I have one-process-several-windows usage it mean that I have to abandon all opened sessions that could be very useful at the time to keep. But, in such case, there is no way to avoid the kill. It could be very frustrating experience when it happens, I may tell you...

red2
@fastwebnet.it

red2

Anon

I think many responses miss the question inherent in the original post.

It's similar to the issue of whether having a broadband connection opens you up to more risk or not. It does, but it doesn't have to.

In one sense, the longer you are on the internet, the more potential risk you are exposed to. But if you are logged on to a bunch of sites via multiple tabs, does the risk increase from the first minutes? So if you are logged on for an hour or a day, does that increase the potential risk that those websites pose? Does being logged on and leaving the computer unattended pose additional risk?

Ae there delayed attack scenarios or attacks based on unattended computers? Does time affect the risk?

I believe this is the question that is being raised.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

said by red2 :

Ae there delayed attack scenarios or attacks based on unattended computers? Does time affect the risk?

I believe this is the question that is being raised.

Yes, I agree that is the question being raised.

I wonder if the answer is simple or complex. I don't close my browsers (I might be running 3 at the same time on my host machine and 2 or 3 running on a virtual machine) until one locks up or until I reboot that machine. I may reboot, or shut down, for several days the virtual machine every month or so. The host machine runs 100 days, or more, without rebooting and the browsers remain open all that time to probably 200 tabs if you combine the number of tabs open on each machine. (This machine runs XP Pro SP2 so I don't reboot once a month for Microsoft Tuesday).

I have used the Proxomitron on all machines since around the end of 2001 and that may make a difference. I don't get infected but I practice safe hex so I don't have tabs open to known risky sites and Proxo strips out the ads, locks down nasty Iframes, etc. and, until recently, has always provided a toggle switch for Flash and Java so they don't run until I click the toggle switch. On IE8 now though, at Youtube, videos just start playing. That is Google hating XP users who can't upgrade IE to IE 9, but that could possibly cause a security problem if I left IE unattended on Youtube and with a tab there open. (I can't use Flash on Fx because the audio is unsynchronized and it is Fx 10ESR which Google is also banning). So, there possibly is some risk depending on the version of the browsers left open with tabs open, where the tabs are open to, whether or not there is some kind of ad blocker, Proxomtron, NoScript, classic HIPS, etc being used.
scross
join:2002-09-13
USA

scross to planet

Member

to planet
I run several browsers (Opera is my current favorite), any one of which may be sitting there with a ridiculous number of tabs open, some possibly for weeks, even. My system is heavily armored, though. The biggest problem I run into is memory leaks and other instabilities, and Opera has a hibernate mode which I always try to use when I walk away for any length of time, which is one reason why it's still my favorite.

Another issue that I've run into in the past (not recently, though) is web pages that have a Javascript or other routine on them which generates spam under my name. (There's nothing quite like going to bed, leaving your browser up and running, and then logging into your email account the next morning, only to find tons of angry email about "all that spam you've been sending me!") These usually only kicked in when activity was very low and they wouldn't be noticed, which would typically be when you were away from the computer.

Another potential issue which comes to mind, and one that I may have been a potential victim of myself at one point in the past, is that if the person on the other has some way of knowing that you are away from the computer (maybe they've hacked your webcam or something), then they can start doing things that would otherwise be obvious if you were sitting there watching. That is, opening and closing windows, changing system settings, and so on.

So how come your daughter's system DOESN'T go into sleep or hibernate mode when she closes the lid? That's pretty standard behavior right out of the box, implying that you have intentionally disabled it for some reason.

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller to trparky

Premium Member

to trparky
said by trparky:

Well, I have 12 GBs of RAM so it doesn't matter to me. I have a 64-bit OS and a 64-bit browser (Palemoon)

Sounds like a brand of beer.

StuartMW
Premium Member
join:2000-08-06

StuartMW to scross

Premium Member

to scross
said by scross:

So how come your daughter's system DOESN'T go into sleep or hibernate mode when she closes the lid?

I had the same thought but simply assumed that it is AC powered (otherwise the battery would be run down). But then why close the lid?
scross
join:2002-09-13
USA

scross

Member

said by StuartMW:

said by scross:

So how come your daughter's system DOESN'T go into sleep or hibernate mode when she closes the lid?

I had the same thought but simply assumed that it is AC powered (otherwise the battery would be run down). But then why close the lid?

Every laptop I've seen (AFAIK) immediately powers down the laptop display when you close the lid, and then a short while later powers down the rest of the system, into sleep mode. This is controlled (usually) by a magnetic switch on the lid, with the exact sequence and timing of events controlled in the BIOS and/or Windows itself. I can't think of a good reason why you wouldn't want something like this to be the default behavior, although there have been occasions when I've found it useful to override it temporarily.

planet
join:2001-11-05
Oz

1 recommendation

planet to StuartMW

Member

to StuartMW
said by StuartMW:

said by scross:

So how come your daughter's system DOESN'T go into sleep or hibernate mode when she closes the lid?

I had the same thought but simply assumed that it is AC powered (otherwise the battery would be run down). But then why close the lid?

I can't remember now but when she got her laptop back in '07 there was some issue when it would sleep so just left it powered on. It is AC powered. Battery has needed replacement for some time now. The top gets closed to keep the dust down on the screen.

StuartMW
Premium Member
join:2000-08-06

StuartMW to scross

Premium Member

to scross
Click for full size
said by scross:

Every laptop I've seen (AFAIK) immediately powers down the laptop display when you close the lid...

That is configurable. You can have it do nothing if you wish.
PX Eliezer704
Premium Member
join:2008-08-09
Hutt River

PX Eliezer704 to planet

Premium Member

to planet
said by planet:

The browser stays up with her logged onto the education site and any other sites she might be looking at, sometimes for days.

I personally think that this has to increase your risk after a while.

While duration of login may be a minor factor, it surely is on the list somewhere.

I think that the other issue is that it is placing more burden on the websites that are being logged into.

For example, a school runs its own server, or buys dedicated space on another server, anticipating a certain usage.

Imagine if a large number of students were like your daughter, staying logged in all the time....

There may well be capacity issues.

And perhaps there are billing issues too, if the school is using someone else's resources....

Does your daughter leave the shower running 24/7? Does she leave the lights on all the time?

You know, it is people like your daughter that are pushing the ISP's towards metering, and away from unlimited usage....

Smith6612
MVM
join:2008-02-01
North Tonawanda, NY
·Charter
Ubee EU2251
Ubiquiti UAP-IW-HD
Ubiquiti UniFi AP-AC-HD

Smith6612

MVM

I HIGHLY doubt the educational site is consuming much bandwidth at all. Also as mentioned before, a secure site or one anticipating X amount of traffic would also log off idle users by expiring their cookie and login session. This has nothing to really do with data caps. If an ISP can't handle 2KB/minute of session traffic they shouldn't be in the ISP business.

Also, most "educational resources" are paid for, especially multimedia-heavy resources. Just go to any college and ask a student how they do their online homework. Bets are, they paid at least $100 just to access it for a few months for a single course. I doubt the site pays that much in bandwidth and server costs even if you were to leave the site open for the whole session of the course. After all, it isn't 1 server, one user. It's 1 server, hundreds to thousands of users.

therube
join:2004-11-11
Randallstown, MD

therube to trparky

Member

to trparky
> I have 12 GBs of RAM ... a 64-bit OS and a 64-bit browser (Palemoon)
> so having it open for a week at a time doesn't really hinder browser performance.

If you had enough opened, running, at once, it would hinder browser performance regardless of how long your browser was opened.

If I take my existing Session Restore & open that, fully, having 12 GB RAM, a 64-bit OS & 64-bit browser (SeaMonkey), my browser performance was severely impacted, just from opening from Session Restore. Not to mention that I'm not sure it ever finished "loading". I gave up after a couple hours. I think it had used up ~8 GB RAM at that point in time.

Much RAM, 64 this & 64 that & throw enough at it & it won't matter. Still sucks.

And lets look at it from the other end.

Much RAM, 64 this & 64 that & don't throw much at it & all is well. But then the same could be said about lesser RAM & 32 this & 32 that .

Trying to think ... 32 OS & 32 browser, was getting stretched, about to fail ~1.8 GB or RAM usage. with 64 OS & 32 browser, you can get (don't recall exactly) but cleanly in the 2 GB range, & most likely would not run into problems until getting closer to 3 GB RAM usage range. And like I said, I've had 64 OS & 64 browser using huge amounts of RAM but it was not a pleasant experience.
therube

therube to planet

Member

to planet
> security risk to leave browser open with multiple tabs for an extended period

For me, no.
I have LOTS open at once, though not all fully loaded.

I typically restart my browser once a day (updating daily), saving to Session Restore, then reopening from same on restart.

JavaScript is always disabled on restart, used sparingly otherwise, & any sites temporarily allowed, typically revoked from time to time.

Plugins are blocked (Flash, Java if I used it, & others), so it is not like Flash on www.yahoo.com or on youtube.com is going to be constantly loaded (or even loaded at all). Sometimes I may manually kill plugin-container.exe, taking all open plugins away with it.

So all the main avenues for exploit are blocked.

When I put my computer to sleep, it does actually go to sleep, so at that point nothing is exploitable.

618 tabs across 50 groups in 50 windows
59 tabs have been loaded
583 unique addresses
223 unique hosts
566 http:
47 https:
 

Woody79_00
I run Linux am I still a PC?
Premium Member
join:2004-07-08
united state

1 recommendation

Woody79_00 to planet

Premium Member

to planet
To answer your question...yes it probably does.

Depending on your config (Routers have UnPNP) etc it could be possible that leaving a browser open could leave ports in a semi-open/listening state...

again this depends on what browser your using...but the premise remains the same...in order to browse the web your pc has to be able to accept and send traffic from the internet which means ports are open/semi open.

How about opening up all your tabs, and then open a command prompt on windows and type netstat -a

see how those connections are handled and the ports active states.

this is a personal choice...IMO i wouldn't do it...but thats just me....your going to have to netstat and dig and see how your browser/router/system handles those connections and see if your comfortable with that.
Libra
Premium Member
join:2003-08-06
USA

Libra

Premium Member

If you leave your browser open with a few tabs all the time but the computer goes to sleep or hibernate after a while, it is protected during sleep and/or hibernate?

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer to planet

Premium Member

to planet
I'm mildly surprised that the school network doesn't log the user out after some predetermined period of inactivity. That sounds like a breach waiting to happen.

Alt-F4 is an automatic for me, especially after logging out of sensitive sites. I also close all browsers and applications before logging in, and don't browse other sites when signed in.

Although there may not be exploits today that attack from other tabs in an open session, that in no way means they won't or can't be created.

planet
join:2001-11-05
Oz

planet

Member

Thanks again for the responses. I'll have to try a netstat after its been sitting awhile. The site itself is a secure site but I think it is indirectly connected with the school. It's a site where she accesses her lesson plans, completes homework assignments, etc. I would think it would auto log off but it doesn't appear to. When I've closed the site previously, I've logged her off first and this is after it has sat for at least a day. Much of what people are saying has been my thinking that this is possibly a risky situation leaving a browser with ports open running for extended periods unattended. I personally never do it but then again, I'm more paranoid than is probably realistic.

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer

Premium Member

said by planet:

...It's a site where she accesses her lesson plans, completes homework assignments, etc. I would think it would auto log off but it doesn't appear to.

To me, submitting homework under the student's user credentials is enough for me to want to log off and close out browser sessions.

Once the browser sessions and any applications used to compose the homework are closed, the applicable ports should go to TIME WAIT then close.

It literally takes only a few seconds to close everything out. There's no reason to leave access to sensitive stuff open when you don't need to.
OZO
Premium Member
join:2003-01-17

OZO to planet

Premium Member

to planet
We know from the past that cross site vulnerabilities could happen at any time with any browser. So, it's the question, do you want to play the roulette or better go safe and close the browser after completing the session? Because I can't make comprehensive tests of all my browsers, that I'm currently use, and, therefore, I'm not sure, that it could not happen with me, I usually go the latter way - I close browser after any secure session. It's simple and effective way to stay away form unneeded and unexpected troubles...

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to planet

Premium Member

to planet
In basic conditions yes.

With a browser set up with javascript enabled, all plug-ins enabled and the browser set to refresh images and pages, sooner or later if a site is infected they will pass down the infection.

If you set up the browser properly to start with, plug-ins set to prompt, and others such as scripts dot turned on it would extend the odds of staying clean. If all the sites are trusted you use and they never get infected by an exploit then it would be a never for your question.

Either way, it all boils down to your browsing habits, not specific browser problems that get you infected, and any amount of tabs open will not change the infection rate speed, other than to heighten volume possibly, 1 or 10 malware/exploits will still have lots of fun.

I'd be looking more at my own habits before worrying too much about what the browser is doing.