Slashdot Mirror
The Web Won't Be Safe Or Secure Until We Break It
CowboyRobot writes "Jeremiah Grossman of Whitehat Security has an article at the ACM in which he outlines the current state of browser security, specifically drive-by downloads. 'These attacks are primarily written with HTML, CSS, and JavaScript, so they are not identifiable as malware by antivirus software in the classic sense. They take advantage of the flawed way in which the Internet was designed to work.' Grossman's proposed solution is to make the desktop browser more like its mobile cousins. 'By adopting a similar application model on the desktop using custom-configured Web browsers (let's call them DesktopApps), we could address the Internet's inherent security flaws. These DesktopApps could be branded appropriately and designed to launch automatically to Bank of America's or Facebook's Web site, for example, and go no further. Like their mobile application cousins, these DesktopApps would not present an URL bar or anything else making them look like the Web browsers they are on the surface, and of course they would be isolated from one another.'"
Broke it. Does that mean it's safe now? http://www.google.com/404
(let's call them DesktopApps)
Let's not.
Everything is better with chainsaws.
So we would have no clue as to where we were taken?
Yeah, that must be good security
So then I'd end up with about 100 "Apps" on my desktop, which all might or might not behave a bit differently, and every time I want to switch to another site, I have to switch the app? How would I follow links outside of the app? Would there still be a way to find websites/desktopapps? If so, what makes sure that those aren't malware?
Yeah. Because nobody would ever hack/write a virus for the BofA DesktopApp that would collect login credentials, etc.
How would I know my desktop app is not infected? At least my browser may show an incorrect URL.
In the majority of the applications we have been writing a releasing we adopt the model described. We write a "rich" client that is basically a special "non-browser" browser speaking over HTTP to an application server using REST or SOAP based on the needs of the customer. The tech doesnt matter, we've built the same type of app using Java (front and back end), C++/QT on the front java servlets on the back (looking at tufao for a complete Qt), and most recently Node.JS on the back.
I've been running a client-side firewall called Atguard that is a general solution for pretty much exactly what the poster suggests. It only allows javascript on sites that I explicitely allow it on. You can run it so that by default, web sites are locked down to be essentially display-only. It also alerts me to any outbound connection attempts and allows me to block/allow connections and ports on a per-application basis. Unfortunately, I can't find newer versions of it anywhere and the company that made it no longer exists. It's the best network add-on I've ever used, so why something else with equivalent functionality hasn't appeared to take its place is beyond me.
They are not widely used. Chrome and Firefox have tools to do this. Chrome's is hidden in the Tools menu and no one uses it. Firefox's is a separate application or an add-on. Again, it never caught on.
Also, now for every new website that launches I have to download software and run it on my computer? Yes, that definitely sounds safer.
What happens to cross-site links? Are you just going to block them to keep the user contained? This will make for a poor UX.
Most of what we want on the web is text and static images. Tables are nice. Maybe you need a handful of tags. Let the browser handle layout. That would be much easier to secure than the dynamic fustercluck we have now. There are probably more APIs than there were tags in 1999. There are probably hundreds of functions in your browser that expose security flaws. We could dump all of them and they wouldn't be missed.
Slashdot needs a handful of tags and good old CGI. That's all.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
This sounds great in theory, but I don't want to install my bank's software. Not only is it likely to create security holes (banks aren't famous for the software development skills), but I wouldn't trust them not to abuse the privilege and mine my personal data.
Frankly, I'll take the current internet with all its warts and diseases over some centralized, walled-garden approach that will STILL suffer from the same things, just in a different mechanic. The bottom line is how you decide what to trust in any system.
I'd submit that the problem isn't that the internet is the Wild Wild West, it's that it is the Wild Wild West without any sheriffs or cowboys. No, I'm not talking about regulation of the internet; I'm talking about people who break laws (fraud, theft, etc.) being found and prosecuted regardless of what tool (postal system, telephones or internet) they used to do it.
Solved!
I'm assuming you don't mean to run code written by my bank on my computer. That would lead to some pretty cool spyware in your apps. You must mean It would be some kind of mini, limited to one site web browser?
You can also just make your firewall drop all connections to sites besides Bank of America and Facebook, but whats the fun in that?
How 'bout no.
What is safe and secure? I don't think anyone will agree on the complete definition of this. The government will have its definition. The MPAA/RIAA will have their own definition. I as a hacker have my definition. I prefer the way the internet is, because I can make it as safe or as unsafe as I choose. I don't need anyone else to define those terms for me.
Did he just re-invent client-server desktop apps?
outlining why, everyone else is covering it pretty well, but this is an incredibly awful idea. And its originator is an idiot as is he who decided this was worthy of posting to /.
Except he's suggesting that these apps actually render a webpage, instead of storing the static parts of the content locally. This is actually what I hate about the mobile app for my bank, it's really just a nerfed browser that points to a mobile site. It's even worse on mobile because where I am, 3G sucks, and I'd rather it only send me the data I need, and not all the pretty pictures as well.
I want the wild wild web, where the deer and the antelope roam, and the skies are (not cloudy) all day, not some locked-down police-state prison-cell silo-world of commercial money-sucking, mind-***king apps.
Where are we going and why are we in a handbasket?
I suggest we call it Web 2.0.
Making an "app" for every website would guarantee a slew of low-quality apps full of security holes. Isn't the current security model better than security by fragmentation?
Wouldn't it just be easier to have your browser only access URLs matching the domain that you're on? You know, since that's what I want? I mean, we'd be blocking 90% of the tracking systems out there. But on the plus side, we'd be saving me 90% of the blocking that I'm currently doing anyway.
Alternatively, we can notice something quite obvious. It's fine the way it is. We're never going to have a world where everybody's safe from everything. I'm ok with being at risk of my computer breaking. That's just perfectly fine. Let criminals focus their efforts in that direction. It's way better than train robberies.
Incidentally, you guys do know that we drive on highways at up to 150 kph with the only thing separating us from on-coming traffic being a narrow strip of yellow paint -- and often it's dashed. And we assume that there isn't any horrible debris on that same road. Really, malware doesn't concern me -- and every dollar I earn comes from my work at the computer.
Enjoy your day. Maybe you shouldn't eat at random restaurants either.
Wow. That is a really stupid idea.
The real problem with security right now is that no-one does an attack surface audit. Literally all these websites out there have their servers installed with an all-manner of crap and garbage that they don't need and each one probably has way more ports open than they should need to. People don't clean shit up - that's the real problem. We don't uninstall software, and sometimes even when we do it's not 'really' uninstalled any more than just taking it off the start menu. We see the same thing in Android land - how many times have you updated a piece of software to see it wants new privileges? Now tell me, how many times have you seen an app say "nah, I don't need this privilege anymore, you can have it back"? Governments do the same thing with new laws. Software does this when you don't refactor it - right up to the point the codebase falls apart because it's been contorted in so many directions and never cleaned up.
Humans are just astonishingly bad when it comes to fixing problems that aren't problems (yet). Sometimes the reason for not doing it is that they don't want unintended side-effects from removing things. This means *they don't know what they are doing*.
We need more people that know what they are doing.
This kind of stuff reminds me of the times of AOL and Compuserve, when everybody used an 'App' and this was all replaces by a.... WEB BROWSER!!! And remember, a browser is not only for the Web, it can understand other protocols other than http or https, like ftp, so it's really about flexibility of the oh! magical thing called a URL :)
Or does he just want publicity?
This is an extreme solution to something that is not really a current a problem and it has issues of its own.
The two main consequences of Desktop apps to me is you have to get them installed keep and keep them updated everywhere (and according to him you can't trust a browser download) and these apps will be OS specific.
Someone would make a lot of money somewhere getting this enforced and it would require creating an appstore/repo for every platform where you could get these from. This seems like a great chance to make parts of the web specific to a OS.
What you could do without breaking anything is have a site broadcast in the header that they want private sandbox from the rest of your running web-pages and only allow the browser to send and receive data to the provided site. It would break advertising but that’s necessary to be secure anyway.
I've been LOL about this idea, but Maybe, just Maybe... what if they had a thundering herd of VNC servers in da cloud and the "website" is just a VNC client?
No need for legacy HTML shit simulating a client server app in the most complicated byzantine and slow means possible... Have a couple traditional client server apps for different resolutions, like my full size high res desktop and another VNC server for my tiny little phone. Each VNC server is a cloud image, created when I connect and vaporized when I disconnect for "security".
Basically your "website" is an icon running your off the shelf VNC viewer and a hard coded hostname. Thats all.
Its not that horrible of an idea, in that case. Now using HTTP as the transport instead of VNC would be pretty dumb, but VNC as a transport? Hmm maybe.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
In a supposedly post-PC world where the desktop is dead and every "website" is just a fucking application behind a little square icon, does it even fucking matter, anymore?
Ha, I do all my deposits and withdrawals from the ATM just inside the front door of my bank, mostly during banking hours. No, dealing with people is not worth the extra effort.
Dan Walsh, one of the principal developers of SELinux has blogged about a way to do this on your linux desktop box. You can start a "virgin" browser in it's own Xserver with optional presets you copy in the loopmounted container. Every time you run it, it starts the same fresh image built on the fly when you run the command. This makes it easy to have separate browsers for each task you want isolated from the rest of your web experience or your desktop computer. Even if it gets infected, it will not remain on your computer and the infection is gone as soon as you close the browser. He's not the only one that has written about it, there are many more people giving useful examples on the web.
I was promised a flying car. Where is my flying car?
Let me get this straight -- you're going to write and maintain a custom fucking browser. Probably purchased COTS and running on just one or two platforms you aren't even competent to do webdev for.
You're going to lock this down and secure it correctly. You're going to maintain its own CA store and correctly sign its certificate. You're going to handle distribution and udpates correctly, and mostly inside this application.
You're going to do this in a manner where I can't just open up wireshark and look at the IP or domain you connect to and watch the TCP handshake going on and trace the HTTP connections.
You're going to do this with a browser where I can't just set a global environment variable or system setting to configure a proxy handler. And you're going to support the users using this browser that do require a proxy with custom builds of the application or in-application settings.
And when your developers test this website with your custom fairy-princess-sparkling-pony wand browser, they're actually going to be competent enough to also test it with chrome or firefox where I *can* type in the URL, and *can* edit the forms up however I want?
Look...with respect to the actual article..yeah, browser's load too much. I block a lot of them and get grief -- I don't get scripts, I don't get most tracking cookies, tracking images, analytics, iframes... They won't send third party cookies, and sometimes my browser accepts them and immediately rewrites them with random content--particularly if it sees anything that looks like a checksum or uuid.
But you aren't going to fix the web with apps-as-browser -- you'll just make it less secure because most devs aren't even good enough to test outside of their expected environment. Which is why I still see raw forms I can post anything to with nothing but clientside validation going on.
This idea is fucked before it's even written. The only conceivable benefit is client-side-browser diversity, and even that isn't actually worth it given the risks that come with it.
The net is unsafe because it's full of idiots. That's why the rest of us needs to become complete morons, too. And use "apps" with just one button. Because two buttons are not stupid enough! Two buttons are smarter than one! So one button is not so smart!! Great plan! So logical. I am with you. Now, where's that #*'&%! button, again?
Oh, the beautiful gloss of greality!
I cannot imagine how this would work in any sane sense. The proposed idea would basically result in one application per website. This would mean in the run of the day I'd have to open dozens of application which would have to, somehow, be linked together. That makes zero sense and it doesn't deal with the issue. The problem is we have a few insecure applications (web browsers) and the solution isn't to create thousands of new applications. We need to do a better job of securing our existing browsers, not create thousands of new ones.
Firefox used to have the functionality of making a website into an app via the Prism project. That project has now been discontinued, but you can do the same thing with:
firefox.exe -P BankUser -no-remote https://mybank.com
This lets you create a dedicated user for a site, with its own options and data. Turn off all of the toolbars in the view menu, and, while you're not restricted from going to other sites with this browser, you have less temptation to do so. Each account also remembers the window position, so you can have, e.g. a tiny window for time.gov/widget.html.
The idea is just completely tangential to what the problem is. The problem isn't that "If we just had a secure little app that could ONLY go to my Bank, everything would be OK". The problem is that the internet is a series of interconnected sites, many of which you discover without even realizing what the site is, compounded by the fact that browsers aren't secure. We all know once the machine is infected from visiting a compromised site, all bets are off.
Drive bys happen because the browser isn't secure, not because people are supposed to have some inherent understanding of what sites are "good" and what sites are "bad". I've worked security in multiple different capacities, and even I can't tell you if a site is going to be "safe" or not. That's because a lot of drivebys are from the 3rd party adware server getting infected. Despite what some totally uninformed IT professionals will tell you, you can't protect yourself by just "knowing where not to click" or "knowing not to click on the fake anti-virus thing". Sadly, I know IT professionals that absolutely SWEAR that this is how people get malware, despite me repeatedly providing them examples of how that's just not that case.
AccountKiller
My thoughts exactly. So - my google search app wouldn't point me to web pages - instead it would point me to apps I could download and install for each different web page. So now I'm installing thousands of web apps? THAT sounds like a security nightmare! Who is going to watch over the security of the apps? Google? They are already having problems with the Android apps.
...from users! Spokesperson says "the walled garden is now complete". Story at 11.
You can install them from Firefox by going here and here.
...but my mobile phone browser has a URL bar. I use it, too.
Hasn't this been tried via Mozilla Prism?
http://it.slashdot.org/comments.pl?sid=3237707&cid=41913653
* See subject-line above...
(AND, of course, the link too!)
Since IF you like hosts files? There's a tool that I wrote there that's linked to that does one heck of a GOOD JOB @ creating + managing them for you from 12 reputable & reliable sources for their current & updated data vs. threats online...
(Enjoy!)
APK
P.S.=> Good to see someone else with the good sense to note custom hosts files...
... apk
The author speaks of things like Java, javascript, iframes, CSS, plugins, ActiveX etc./et al - well, per my subject-line above? I pretty much ALREADY have been doing what he noted, via OPERA & using it in creating SITE-SPECIFIC browsing setups!
How so?? Easily, since Opera allows "By Site" Preferences is how!
1st I setup a GLOBAL POLICY (default for EVERY site under the sun) which DISALLOWS the above risky elements.
Then, as needed, I allow certain sites to access those risky features, ONLY as needed for full site functionality on THAT SITE ONLY (the rest follow "global policy" of NOT allowing ANY of those items to function).
* ANYONE "catching my drift" here by this point?
APK
P.S.=> The rest of just good use of "layered security"/"defense-in-depth" in custom hosts files usage, NoScript on Mozilla products, & system-wide "security-hardening"...
ALL are covered in my other post here -> http://it.slashdot.org/comments.pl?sid=3237707&cid=41913653 and, yes - it actually WORKS...
... apk
Where do you find these people that are fun to interact with? They are never at any of the places I go.
So this is yet another stooge calling for destruction of multi-purpose user-empowering system that is modern desktop in favor of single-purpose user-disempowering single application per single task model?
The unsaid main advantage is of course that stranglehold on the user granted by this model makes user a much better product to monetize.
When talking about the expansion of web technologies, it is important that CSS3 is Turing-complete.
Which provokes the question of why we didn't just settle on a Turing-complete language or graphics library to begin with.
Ultimately, I don't think that web browsers are the security problem they're described as. Modern browsers have auto-update, rapid release schedules, and bug bounty programs. Most of them are also open-source to some degree. Adobe software could not be expunged from this Earth too quickly, but aside from that we're pretty well aware of the browser as the largest attack surface in modern systems, to the point where the easy hacks require multiple exploits.
Web technology is a strange and complex beast, but let's hold off on scrapping it until we actually have some web browsers on Kaspersky's Top 10 list.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Or you could stick Firefox in a chroot and use HTTPS Everywhere. And y'know, NoScript and Adblock Plus and Ghostery -- but I presume you're using those already. SSL certs aren't necessarily handled by the browser anyway, but I think what you want there is the also-extant OCSP. Or if you wanted to extend the chroot concept to your entire OS, you can have that too.
Why do you need desktop links again? I'm having a failure of imagination as to how that might actually improve anything.
bee-tee-dub, you should keep in mind that Security and Usability are usually at odds with each other. We already have the technological solutions at hand, if you're not already using them, perhaps there's a reason why.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
http://www.guidebookgallery.org/pics/gui/desktop/full/riscos311.png
Perl Programmer for hire
It took trolls 3++ HOURS to downmod this one from the time of its initial post-date, in order to *try* to "hide it" & the facts + benefits it extolls, point-by-point...
(LMAO @ the trolls & their "machinations", via bogus downmods they certainly can't justify on valid computing-technical grounds...)
* :)
APK
P.S.=> Now, IF they really want to "gain some ground", vs. my points in that post they "hit & run" bogusly downmodded? They'd disprove my posts' points to justify their unjustifiable downmoderations of it - obviously? That, cannot be done...
... apk
So this guy proposes to improve security by replacing web sites with executable applications on the user's machine? What's wrong with this picture?
The author argues that disallowing clicks on transparent objects would break too much. It would break some minor functions on a few pages at Google and Facebook, and Yahoo if anybody still cares. They can fix that; it's bad coding, not something that they needed to do. It would break thousands of annoying popups. Win. If the pixel clicked isn't at least 25% opaque, the image doesn't get the click. This enforces visual fidelity.
(I put that in my image buttons - if you click on the image rectangle, but not on the round button, nothing happens.)
Give me the funding to take care of my basic bills, and I CAN create the internet's fully viable sentient "immune system" within three months of inception. I'm not even joking.
There, I fixed that for you.
Korma: Good
Too bad, I had five points yesterday, and now I know I *spoiled* them :-D
Herve S.
and still does it btw, they managed to survive all this time ;-)
iCab, the most unknown browser in the whole universe -but they invented ad-filtering, 10 years before Mozilla was even born.
I think what's important indeed now is the behavior of tablet browsers.
I've seen an interesting discussion on SimpleBrowser, again a very minor one (on Blackberry Playbook, mind you!) that definitely turned around this thematics...
Herve S.
I've been playing with all three a little lately. There's a fair amount of cross-platform capability there, with fairly capable html browser classes available.
Not to mention, libre.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
...the author of TFA stole his bit.
How to get malicious code on to someone's computer and execute it. First, you get malicious code on someone's computer...
Playing devil's advocate here:
I believe the author is implying that operating systems have traditionally done a better job of handling resource security, interprocess communications, and application isolation. The suggestion is that the browser was not originally designed as a platform for execution: it was designed as an application for viewing information. Therefore, I think the author is implying that the solution is to minimize the "duplication of effort", i.e. minimize the browser's role in negotiating authentication, authorization, data transmission, etc. since these are better handled or already handled at a lower level in the stack.
Does anyone find this line of thinking less controversial? I don't think the suggestion was to eliminate the most important characteristic of the Internet: open connectivity.
Is there any value to be found in layering applications on top of each other in this way where each application provides another abstraction layer for resource security or interprocess communications?
I think it is safe to say that the entire premise of this article is just the solution a person would suggest if they were less educated on the matter. It is like a computer scientist saying to a civil engineer that the problem with a buildings structural integrity is the foundation and not the ground underneath the foundation.
Web developers need a way to set custom security policies for there website and sandbox it. If the policies are not enforced(properly) then the website should not load.
Why not use something like Qubes: run each browser session inside its own throw-away, cleanly insulated VM?
cpghost at Cordula's Web.
Many here "game" (cheat) the moderation system to do so in fact, & for example? I caught tomhudson = Barbara, not Barbie using MULTIPLE ACCOUNTS to do so (using them BOTH, they're both that same person, to "mod herself up" when she was downmodded for trolling, & to mod down her opponents with).
In fact, I'll even let a "Big Name" Open "SORES" guy speak on this very account:
---
"It just takes one Ubuntu sympathizer or PR flack to minus-moderate any comment. Unfortunately, once PR agencies and so on started paying people to moderate online communities, and to have hundreds of accounts each, things changed." - by Bruce Perens (3872) on Friday July 30, @03:55PM (#33089192) Homepage Journal
SOURCE -> http://linux.slashdot.org/comments.pl?sid=1738364&cid=33089192
---
* YES - That includes YOU too, troll... I know you've got a "registered 'luser'" account & are just "trolling me" by ac replies. Thus, I can strongly also wager YOU are downmodding my posts to 'harass' me!
The "Chinese Water Army" &/or "HBGary" are the same as well...
(Except they got CAUGHT in the act doing it using 100's of "bogus" trolling accounts to do so!)
APK
P.S.=> Trolls like YOU? Easily seen thru - See Mr. Perens' quote above, he says it BEST imo!
So, until YOU disprove my points with valid facts here -> http://it.slashdot.org/comments.pl?sid=3237707&cid=41913653 ? YOU FAILED... badly!
... apk
what if the app itself gets infected ? false sense of security ? You'd still have to keep scanning at least once a day, no ?
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?