The first “complete” release of my Kiosk Browser application is now ready to be used.
As before, I’m really curious if any of you “security minded” individuals out there can help me think of ways to break this. The basic concept is to allow a computer to be used in a public space for only surfing a limited set of pages and nothing else. There is the assumption that the box itself is locked up, so only the keyboard, mouse, and video is physically available to the user.
I’ve put in a lot of features that are designed to keep the user from doing anything on the system other than surfing the allowed pages within the browser. Some notable highlights include:
- Password required to close the browser
- Limiting browser navigation based on a set of allowed DNS names, as well as pattern restrictions applied to the URL
- Disabling CTRL+ALT+DEL and other key combinations that would normally allow an application to be closed or switched
- Disabling a lot of standard browser functions (right-click, etc)
- Automatically killing any new windows opened
- The ability to load in a completely separate desktop
- The ability to run the browser from the login screen, *without requiring (or allowing) any user to be logged in*.
As I said before, feel free to hammer on it or just theorize about how it may be possible to circumvent these restrictions, so that I will be able to counter any such measures effectively. I think it’s pretty solid right now, but it’s always possible that I’m overlooking something else.
2 Comments
KT Technology see http://www.kioskterminals.eu is always looking for new products and services. So if you would like us to test your Kiosk Browser on one of our demo machines and see if we can find any loopholes in it, we would be happy to to assist. You can reach us on the email address we have provided.
Great work!