Saturday, November 01, 2008

Browser Security – bolt it on, then build it in

Originally published in (in)-secure magazine #18.

Whether improving ease-of-use, adding new developer APIs, or enhancing security – Web browser features are driven by market share. That’s all there is to it. Product managers perform a delicate balancing act of attracting new users while trying not to “break the Web” or negatively impact their experience. Some vendors attempt an ├╝ber secure design - Opus Palladianum as an example, but few use it. Others opt for usability over security, such as Internet Explorer 6, which almost everyone used and was exploited as a result. Then, somewhere in the middle, is fan-favorite Firefox. The bottom line is that any highly necessary and desirable security feature that inhibits market adoption likely won’t go into a release candidate of a major vendor. Better to be insecure and adopted instead of secure and obscure.

Fortunately, the major browser vendors have had security on the brain lately, which is a welcome change. Their new attitude might reflect the realization that a more secure product could in fact increase market share. The online environment is clearly more hostile than ever, as attackers mercilessly target browsers with exploits requiring no user intervention. One need only to look at this year’s massive SQL Injection attacks that infected more than one million Web pages, including those belonging to DHS, U.N., Sony, and others. The drive-by-download malware had just one goal - compromise the browser - with no interest in looting the potentially valuable data on the sites. Of course, we still have the garden-variety phishing sites out there. This leads to questions regarding the benefits of end-user education. Users are fed up. So let’s analyze what the Mozilla and Microsoft camps have done in response.

Buffer overflows and other memory corruption issues in the most recent browsers are declining, plus the disclosure-to-patch timeline is trending properly. Firefox 3 and Internet Explorer 7 now offer URL blacklists that block phishing sites and other pages known to be delivering malware. These features are reportedly a little shaky, but it’s clearly better considering there was nothing in place before. Firefox 3 provides additional visibility into the owners of SSL certificates and make it more challenging to blindly accept those that are invalid or self-signed. IE 7 offers a nice red/green anti-phishing toolbar that works with EV-SSL to help users steer clear of dangerous websites. Overall, excellent progress has been made from where we were just a couple years ago, but before the vendors start patting themselves on the back, there’s also some bad news.

If you ask the average Web security expert if they think the typical user is able to protect themselves online and avoid getting hacked, the answer will be an unqualified “no”. While browser vendors are addressing a small slice of a long-standing problem, most people are not aware of the remaining risks of a default install of the latest version of Firefox or Internet Explorer. When visiting any Web page, the site owner is easily able to ascertain what websites you’ve visited (CSS color hacks) or places you’re logged-in (JavaScript errors / IMG loading behavior). They can also automatically exploit your online bank, social network, and webmail accounts (XSS). Additionally, the browser could be instructed to hack devices on the intranet, including DSL routers and printers. And, if that’s not enough, they could turn you into a felon by forcing requests to illegal content or hack other sites (CSRF). The list goes on, but DNS-rebinding attacks get a little scary even for me, and it’s not like we haven’t known of these issues for years.

The browser security oxymoron hasn’t escaped the watchful eyes of the media’s Dan Goodin (The Register) and Brian Krebs (Washington Post), who figured out that something isn’t quite right. Nor Robert “RSnake” Hansen (CEO, SecTheory), who is a little confused as to why organizations such as OWASP don’t pay closer attention to browser security (recent events have shows signs of change). According to sources, only about half of IE users are running the latest, most secure and stable version of the browser. And again, if you ask the experts how they protect themselves, you’ll receive a laundry list of security add-ons, including NoScript, Flashblock, SafeHistory, Adblock Plus, LocalRodeo and CustomizeGoogle. Even with these installed, which relatively few people do, openings still exist resulting in an increasing number of people virtualizing their browsers or running them in pairs. Talk about extreme measures, but this is what it takes to protect yourself online.

Today, my philosophy about browser security and the responsibility of the vendors has changed. In my opinion, the last security-mile won’t and can’t be solved efficiently by the browser vendors, nor should we expect it to. I fully appreciate that their interests in building market share conflicts with those security features experts request, which by the way never ship fast enough. To be fair, there really is no way for browser vendors to make the appropriate amount of security for you, me, or everyone in the world while at the same time defending against all of the known cutting-edge attack techniques. Everyone’s tolerance for risk is different. I need a high-level of browser security and I’m OK if that means limiting my online experience; but, for others that could be a non- starter. So, this leaves the door open for open source or commercial developers to fill in the gaps.

I was recently talking with RSnake about this and he said “I think the browser guys will kill any third party add-ons by implementing their own technology solution, but only when the problem becomes large enough.” I think he’s exactly right! In fact, this has already happened and will only continue. The anti-phishing toolbars were inspired directly from those previously offered by Netcraft and eBay. The much welcome XSSFilter built into the upcoming Internet Explorer 8 is strikingly reminiscent of the Firefox NoScript add-on. Mozilla is already adopting the model themselves by building their experimental Content Security Policy add-on, which may one day work itself into a release candidate.

At the end of the day, the bad guys are going to continue winning the Web browser war until things get so bad that adding security add-ons will be the norm rather than the exception. Frankly, Web browsers aren’t safe now, because they don’t need to be. So, until things change, they won’t be… secure.

9 comments:

Mol10 said...

I wonder what you would say about another browser, Opera, regarding the security-usability trade-offs, and how its security fares compared to Firefox.

Anonymous said...

Hi Jeremiah,
I and my colleague are working on a personal project which we want to present during a forthcoming IEEE conference being hosted in our university in mid-december/early january. The project investigates new ways of communication between individual people,and people interacting with their physical environment through the use of webbased and mobile technologies.
It tries to recreate people into 'data' , so that they can reside (if they want) on a replicated digital world which is ontop of their physical real world environment.
We want to target the idea concept at telecom operators. - we intend to invite executives from the 3- major telecom operators in my country.
This is the very first time i'll be making a presentation. I'm not what to do, i've been online getting sample presentation-templates and docs on how to give a good presentation.
Though the idea concept is still in infancy, giving a good presentation will go a very long way in getting sponsorship and support for the notion.

My question is:-
How do you give a good presentation..?

David,
Nigeria.

Chris Snyder said...
This comment has been removed by the author.
Chris Snyder said...

I think one of the best features any browser-maker could implement is the easy creation of site-specific browsers.

Give them real teeth:

- Complete profile separation, so they don't share history, cookie, or keychain data between browser instances

- Domain isolation, so that external links always open in the default desktop browser

- Easy re-branding so that users can just click their bank's logo to log in to their account

Fluid.app (built on Safari) is a great prototype, but it (like anything else Mac+WebKit, including Dashboard widgets!) shares a profile with Safari, which is incredibly dangerous.

Jeremiah Grossman said...

@mol10, the point that I was trying to get across was not that one particular browser was better than another. Instead that popular browsers will not be secure against the latest and greatest threats (2-3 years). They'll instead rely on third-party component vendors to vet out certain security implementations, which when they reach enough adoption, then they'll build them in by default.

@anonymous, that's a very large question. 1) The first is, have something compelling to talk about and share with the audience why it should be important to them. 2) Tell a story, be entertaining, and engage the audience. After all it is a presentation. 3) Practice. Practice. Practice.

Anonymous said...

Thanx Jeremiah . .

David.

Arshan Dabirsiaghi said...

Who practices their talks? Jeremiah puts the BJ in BJJ~

Scott Wright said...

I see a subtle shift away from browsers for sensitive interactions. With the explosion of apps in the iTunes app store, people seem to be more willing to have dedicated apps for specific purposes than they have been over the past 5-10 years.

Client-side apps can be dedicated to authentication and authorization, can be lightweight, and once the secure session is set up, the server can do the bulk of the work.

So, maybe we shouldn't expect the browser vendors to help out, but if they don't, they may end up losing more of their user based for important use cases.

What do you think?

Anonymous said...

That's a great point that Scott Wright made, suggesting that locally installed apps such as the iTunes model could be the norm of the future where security and such things as online purchases are handed off to an App that does not reside in the browser.

I would like to read a column from you Jeremiah on "cloud computing".

I have yet to read anything but enthusiastic accolades to the concept of depending on distant computers to not ony feed apps but store the resulting data from minute-to-minute business functions distributed across multiple computers and networks.

With all of the mounting security issues for ISP's, webhosting companies, backbone companies, network companies, content server distribution companies, data hosting companies HOW in the world does "cloud computing" not exponentially exacerbate important security issues?

Google can pay for the top IT and security engineering talent in the world. Some smart kids in China hacked them and they did not discover it for months. I have a Gmail account--it analyzes every email I type, every word, even if I am trying to share a username and password with a client for getting into a website I have built. Google's servers have stored the content of every communication back and forth in my Gmail account and use it to serve up ads and who knows what else.

When I tried their Documents app online it stored, and I have no doubt scanned and analyzed every document in my Gmail-associated Documents application. This is one example of early cloud computing.

Yet at any time a disgruntled or unscrupulous employee at Google anywhere in the world can access all of my Gmail and Documents data and no one at Google will be the wiser until too late if it is used against me in some scheme.

When cloud computing arrives full force you have a vast network of distributed data now accessible to new hacking methods and many more employees with their own agendas employed all over the world.

It is impossible now to avoid having personal data, from credit card accounts, personal websites, banking, travel itineraries, etc scattered all over the globe in some of the most horrifyingly vulnerable exposures possible--such as on the laptop of some outsourced employee in Karachi.

Is there any plausible reason that the advent of Cloud Computing is not going to be the hugest recipe for corporate and personal security catastrophes of the near future!