Slashdot Mirror
Is There Room For a Secure Web Browser?
An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting:
"'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."
M$ has a malware problem. I'm all for better design but we should avoid sweeping generalizations about computer security. It's not a "computer virus" it's a Word Macro, a pdf pass through exploit, an Outlook problem, etc. People who pretend to be "platform neutral" are either ignorant or trying to sell you something second rate. Any platform can use more security but only one of them really needs it.
The general approach sounds much like what any browser, or any program for that matter, already does. A main process calls and monitors subroutines that do different things on demand. Calling the main program a kernel and it's messaging "OS level" does not do much for me. All modern software is as modularized as possible. What's really going on here besides Microsoft Research hype?
Friends don't help friends install M$ junk.
Don't be so close-minded. The same could have been said for Gecko (Mozilla) or Webkit (Safari) or Opera back in the IE 5/6 heydays.
The road to tyranny has always been paved with claims of necessity.
Users with strong privacy protections can't get past the stupid ad screen. Find another source, please.
Security is low on the list of features people notice, so sacrificing anything higher on that list for the sake of security will be perceived as a negative feature.
So no.
This is just another layer of software to further destroy the performance of our modern PCs. Even just to render a string on-screen in a web app goes through numerous layers on a typical Linux system:
1) The browser's UI layer.
2) The GUI toolkit's high-level rendering layer.
3) The GUI toolkit's low-level rendering layer.
4) Xlib.
5) The network connection, UNIX domain socket or shared memory between the Xlib and the X server.
6) The X server's high-level graphics layer.
7) The X server's low-level graphics layer.
8) The X driver.
9) The Linux kernel.
10) Finally the hardware itself.
So even a "Hello World!" app for a browser goes through at least 10 layers of code, and that's in an ideal situation. It's no wonder that PCs today don't feel any faster than those of a decade ago, even though we've got hundreds of times the processing power and RAM; we keep slowing them down by adding further layers for such basic operations.
No, how Gecko/WebKit got so popular was because of how bad both a) ActiveX was and b) How much of a pain it was to get IE to render simple things. What we need is less bloated browsers, those that don't use up 100+ MB of RAM, along with faster browsers, as for security, as long as it is open-source it will probably be patched and up to date well enough to deal with all the problems except the one typing on the keyboard.
There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
The solution for a more secure browser isn't to guild it with ever-growing layers of security and virtual machines, quite the reverse, it's to keep things simple.
If we allow an internet to exist without the need for complex interpreted languages, if people open mostly static HTML documents when they open web pages instead of opening a pandora's box of plugins, languages, interpreted bytecodes, activeX gotchas and other unnecessary exploitable garbage, then the entire internet will be more secure.
By making it more complex, exploits and backdoors are virtually guaranteed. But well, that's just *my* ignorant opinion.
You can't send a takedown notice to an already printed newspaper.
I figure that once everyone starts linking to the "no fucking ads so we can read the article comfortably" link, they'll stop providing it. I, for one, would like this feature to continue to exist.
Security isn't important enough to people right now to make the change away from IE (or older versions of it). A new browser deemed more secure will be met with less interest because those people not wanting to deal with current secure features in Firefox like NoScript and AdBlock plugins, surely they won't want to fiddle with something having even more restraints.
I don't see why this couldn't fly. Samuel King appears to be a well-established professor with solid credentials. It's based on SELinux at present, but they've designed it to work with various other resource segmenting programs (they named AppArmor).
I'd say the key to finding a market will be standards-compliance. If it supports HTML 4 and XHTML reasonably well (like anyone can do it perfectly) and has ECMAScript, then it can work with a properly-designed webapp. While they're designing plugin support, I don't think it matters much whether Flash will be supported. People who care about security don't tend to be distracted by shiny things.
Sure, it won't even come close to top of the browser list. The purpose of this browser, however, is to bring web browsers to locations that can't use them because of security concerns. As a developer, I can certainly say that my productivity is improved with web access - forums, developer documentation, bug reports. I've been at companies that won't let their developers work on the Internet at all, probably for fear of espionage. The web browser is probably the second largest target (after e-mail clients) for malware writers. Web browsers are ubiquitous now, so spending some time researching "white-hat" web techniques is a worthwhile effort regardless, and I'm sure there are some who will find this browser useful. I will continue to use Firefox, despite the security concerns associated with JavaScript and Flash. My tin-foil hat is back in the closet, and I want to keep it there.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
I'm not sure if you're being witty or just naive, but this really does appear to be a general software engineering strategy that works. I don't know much about how Windows' kernel works, so I can't say whether their implementation is any good-- I suspect that their business imperative to provide backward compatibility and rich APIs have probably hindered their efforts on the security front.
But if you go out and look at software that is written to be secure, the subsystem approach is how it is done. Postfix, for example, is actually a collection of simple applications. One application does queueing, one specializes in spewing SMTP, one specializes in receiving SMTP, and so on. Also, system call policy enforcement mechanisms (ala systrace) and privilege separation (like in Apache or SSH) can be formally verified to work. I think UIUC is on the right track here. Whether their browser becomes THE web browser is somewhat unimportant, since they're researching an area of security that has had a fair amount of attention from good programmers but not computer scientists. In some ways this is the ultimate in enforcing "object-oriented"-ness: code isn't just a collection of modules, the application is a collection of small applications, too.
How about simply throttling the CPU usage Flash can use in Firefox? The whole system can slow down to a crawl just from ONE ad-laden web page. I'm not on some slouch of a computer, but every once in a while I wonder why things are sluggish. I close the suspect tab and everything's back to normal.
To me a secure browser would be non-modular, and be pretty slim on the list of features.
NO activeX
NO plug-ins, period. Once you introduce a 3rd party software entry point, it's spoiled
No giving out referrer info unless you say so
strict cookie control
mike's ad blocking hosts file built in, and configurable(or something similar)
CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".
Javscript turn off URL bars, resizing of windows? I don't think so. Leave that to the user.
And I'm betting there's 20 other things I haven't thought of that's mandatory. The web browser has become so fluidic that there's tons of entry points to a user's system now.
This browser seems like the sort of thing that big companies might like to install on their workstations. After all, they don't care that much about usability (my university currently has right clicking disabled--there are quite a few things that are harder or impossible if you can't right click). I don't mean to say that this browser will be unusable--it's just that a corporation might sacrifice speed and flexibility for security. This browser might also be good for kiosks.
A cat can't teach a dog to bark.
I know, I know... this is Slashdot, I shouldn't bother. But IE 7 on Vista (running in Protected Mode) is pretty damn secure.
While there have been exploits for IE 7, not a single one of them could successfully bypass Protected Mode. I'd say that's a pretty damn good track record for a browser that has been out for about a year and a half and has undoubtedly been targeted by many, many bad guys. (And good guys, for that matter.)
Besides, you clearly take advantage of the karma bonus that the ad-ridden stories provide ;).
IE has both activeX and extensions to worry about, on top of being tightly integrated into the core OS. And Firefox has the additional burden of all those extensions that most people use. Removing the extensions makes it significantly easier to audit the code and assure that the end user browser experience is secure. With extensions, they can only QA the browser itself and ensure that the basic API allows sufficiently secure practices.
Personally I like the idea that's being pushed here, and have been wondering for quite some time why there isn't more separation between extensions/plugins and the browser itself. People will use whatever is cheap, fast, pretty, reliable and secure. There is no inherent reason why with all the processing power and extensions to the processor that a browser like this can't nail the other three while being close enough on performance that people don't notice a speed trade off.
This kind of thing can already be done presently. Just in a less efficient and less fine grained manner. Linux or similar in a VM.
Just take Firefox Portable and disable many of the nasty defaults like third-party cookies etc. Then load all the paranoia extensions like no-script, safecache, safehistory, refcontrol, cslite etc. and you can create a pretty secure browser without having to develop one yourself.
You want fun, go home and buy a monkey!
I thin that's the security model our government uses. Wrap everything in massive layers of bureaucracy and nothing bad happens. Of course, nothing good happens either, but that's OK.
Well not to say that Lynx is perfect but I'd like to note that the first link shows an exploit over 10 years old and the second is almost 3 years old. Both have been addressed.
[J]
These guys are researchers, why do you think their goal is to make a separate, competing browser? Generally, that only happens if the market is dumb enough to miss potential, if indeed it has some.
If they show the security advantages can be achieved without hurting other aspects of browser performance, something like Firefox or IE could implement their strategy and claim a big win for security over their competitors. This idea is at least a couple of years old. It would surprise me if it isn't simmering on the back burner of the IE team or someone influential at Mozilla.
As for everyone saying silly things about how programmers should just code better...go take an OS class. Browsers are becoming more like operating systems. Imagine if every program on your computer was essentially working with the same address space except for a few hard-coded rules. Even Windows long ago (like in DOS times) realized that's a broken approach.
I'm not sure if I get this. The key feature seems this:
The key feature is Trusted Computing.
So who is this product for?
The RIAA, MPAA, and all those people who want to make DRM locked websites where no one can save copies of pictures or any other content from the page, where you can't copy-paste text or anything else, where you can't run any ad-blockers, where you can't view the webpage source, where you can't "deep link", where they can securely track your identity, etc etc etc.
He's this guy's page at The Information Trust Institute (ITI).
Their definition of "secure" is securing computers against the owner.
They do Trusted Comptuting, Trusted Platform Models, DRM, they are even working on a Trusted DRM P2P system. Oh joy, I can't wait to get me some of that Trusted DRM P2P! Woohoo! Yummy! to ensure that distributed multimedia protocols' trustworthiness is enforced in terms of security... security when delivering voice, music... trusted peer-to-peer (P2P) streaming protocols in large-scale ad hoc distributed systems for efficient content distribution... Issues of digital rights management
Come on, don't tell me no one noticed the project name "Opus Palladianum" and thought, "Damn, that sounds like Palladium!" Yep, this is the scheme for a DRM locked down browser running on a DRM hardware locked Palladium system. And yeah, the article mentions that this guy came from Microsoft. Who here is surprised at that? Yeah, me neither.
Yeah, tag this article trustedcomputing. Or treacherouscomputing if you prefer.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
As parent says, the product doesn't have to gain great popularity to have a great effect on the field, especially after a few years.
/proc filesystem, and more concepts are being ported still, such as PortalFS, applying the theory that everything should be a file to network sockets.
Plan 9 never "made it big", but it wasn't supposed to. Now most Unix systems have adopted ideas from Plan 9, like the
Plan 9 isn't a superstar, and in my personal opinion it's a pain to try to use, but it's considered a highly successful project. I'd like to try this browser, just because it sounds cool, even if it isn't my new browser of choice. I hear people praise Firefox, not because it's the best browser ever, but because it put pressure on Explorer to keep up with the market.
Proof of concept is worth a lot.
Maybe you should transfer. If they hire admins that bad, what does it say about the rest of their staff?
Maybe not
A cat can't teach a dog to bark.