Detect Safe Browsing to Go, known by the less wordy “DSB2Go,” is a nifty USB device that offers users a locked-down personal Web browser to protect users’ Web activity and accounts from malware designed to intercept login credentials and steal information. With DSB2Go, it doesn’t matter if the computer has keyloggers or other types of malware installed, because all user activity and data are encrypted within the device’s hardened browser. It is extremely easy to use, as the user just has to plug it in to the computer before logging into the site.
DSB2Go protects users from malware infections, phishing attempts, and pharming attacks. The device also foils man-in-the-middle and man-in-the-browser attacks. There is usually a trade off between security and convenience as the user gives up ease-of use to be secure, or being less secure in order to make it easy to use. DSB2Go balances the two successfully, as the only inconvenience is remembering to carry the USB device.
Many kinds of modern malware burrow deep into the user system in order to avoid being detected by antivirus and other security products. This means users may not even be aware their computers are infected with a banking Trojan or other data-stealing malware. When users access sensitive sites, such as online banking or business applications, from an infected computer, the malware intercepts login credentials and can take over the account. DSB2Go removes the uncertainty, since as long as the users are using the virtualized Web browser, all Web activity and data is encrypted and hidden from the malware. Even if the user is on a Zeus-infected computer, the malware can’t penetrate the DSB2Go environment to access the data.
The device doesn’t try to protect all Web activity but just those sites administrators identified beforehand in a whitelist on the management portal. Businesses can use DSB2Go as an extra layer of security to protect employees accessing certain business-critical applications, or roll out the service to customers accessing a specific online service. At $37.89 per device for an annual subscription, this can become a fairly expensive solution for large deployments, but Easy Solutions offers volume pricing and discounts.
Before making the plunge, businesses can also sign up for a 15-day free trial, during which they get three DSB2Go USB devices and the ability to whitelist up to three sites on the management portal.
Easy Solutions sent a USB device and created an account on the company’s Detect Monitoring Service portal for this review. The company’s IT administrator logs into the portal and navigates to the “DSB2Go” tab to activate devices, create groups, define “protected applications,” and view usage activity. When I logged in, I saw the USB drive I had was already activated.
If I had additional devices, I could activate it using the serial numbers. I could set a password for each device and assign a “group.” Groups allow administrators to assign basic policies to the device, such as the types of applications the user could access and authentication requirements.
Groups, Devices, Sites
After creating a group, I can set the device’s security level–entering the device password or a unique username/password combination before the hardened Web browser launches–or turn it off to use the device without any restrictions. Each device is then assigned to a group.
This way, I could ensure all the devices within a department had the same security level.
The interface was pretty sluggish, which may have been the fault of the test environment I was using. The pages took a while to load when switching tabs, and some windows didn’t close right away.
The whitelist lives in the portal’s “protected sites” section. I listed all the URLs to sites users are allowed to access using DSB2Go. This part can get tedious quickly for applications which redirects across several subdomains since administrators must specify each address separately. Gmail redirects users to accounts.google.com before displaying the inbox on mail.google.com, for example. For this review, I listed Gmail, Salesforce, TDBank, and Bank of America. I listed both onlinebanking.tdbank.com and www.tdbank.com for TDBank. If the URL I am adding has SSL (uses HTTPS), then I have to upload the site’s certificate.
I can do this manually (downloading the site certificate through the regular browser, or if it is an internal application, using the SSL certificate I have) or use the “scan for certificate” feature. This nifty trick checks the URL and grabs the valid SHA1 fingerprint. Saving the SSL certificate protects users from domain hijacking and other spoofing attacks where users are maliciously redirected to other sites.
I assigned at least one group to each URL. This way, I maintained a single whitelist for the entire organization but could specify a subset for each group. If the site’s group didn’t match the device’s group, the user would not be able to go to that site.
While the list is easy to create, it can get long pretty quickly because of the individual sub-domains that need to be rested. There is no quick way to search or sort the URLs. I was able to filter the view to display URLs assigned to specific groups, but overall, the list is unweildy to work with after a certain length.
The end-user doesn’t have any control over what sites the device allows. The entire user experience is managed by the administrator via the portal. This is a great way for adding basic access policies to certain business applications.
Simple for Users
From the user perspective, it’s dead simple: plug in the drive into the USB port and open up the special Web browser. The Web browser displays icons for each site the device is authorized to use. After about four or five sites, this screen appears really cluttered and there doesn’t seem to be a way to sort the order the icons appear in.
Users click on the icon to go to the permitted site. If there is a problem with the SSL certificate, the user will be blocked.
Other than the fact that the user cannot type in a URL at all in the address bar, this special browser acts just like any other browser. Users can hit the back button to go back in the browsing session and open multiple tabs.
If while browsing through the approved application, an internal link goes to a different subdomain that wasn’t already approved (such as customerservice.tdbank.com in the above banking example), the user is automatically blocked. It would have been nice if the configuration service supported wildcards, so I could just say accept all *.tdbank.com sites without having to list each one individually. On the other hand, this means administrators have granular control, being able to specify which services are allowed: users are allowed to use Gmail and Calendar, but not Groups and Drive, for example.
The fact that the end-user doesn’t have to download or install software was a big plus, although I wondered how many people would lose the USB drive or forget to keep it within reach.
I was disappointed the service is currently limited to only Windows users. Mac OS X and Linux users are currently not protected. When I plugged the device in to a Linux laptop, it didn’t even detect anything in the USB port.
Secure Browsing–Up To A Point
There are other virtual browser options for businesses, but many of them are out of the SMB’s reach. DSB2Go addresses the fact that SMBs need this kind of browser technology, too.
Since all the settings are handled by the cloud service, DSB2Go is perfect for active business travelers who use different devices or access the Internet using open networks, or for customers who need to access a specific service or application. I am concerned about the fact that there is no way for administrator to verify that users are actually using DSB2Go. The user can easily skip the drive altogether and just use the regular Web browser.
Taking advantage of security provided by DSB2Go requires a significant behavior change, as the administrator has to convince the end-user that using this device is worth the extra effort. Other than that, though, DSB2Go is a nifty device that can really help businesses keep their customers and employees while accessing sensitive Web sites.
|OS Compatibility||Windows Vista, Windows XP, Windows 7, Windows 8|
Copyright © 2012 Ziff Davis, Inc