Slashdot Mirror
The Web Won't Be Safe Or Secure Until We Break It
CowboyRobot writes "Jeremiah Grossman of Whitehat Security has an article at the ACM in which he outlines the current state of browser security, specifically drive-by downloads. 'These attacks are primarily written with HTML, CSS, and JavaScript, so they are not identifiable as malware by antivirus software in the classic sense. They take advantage of the flawed way in which the Internet was designed to work.' Grossman's proposed solution is to make the desktop browser more like its mobile cousins. 'By adopting a similar application model on the desktop using custom-configured Web browsers (let's call them DesktopApps), we could address the Internet's inherent security flaws. These DesktopApps could be branded appropriately and designed to launch automatically to Bank of America's or Facebook's Web site, for example, and go no further. Like their mobile application cousins, these DesktopApps would not present an URL bar or anything else making them look like the Web browsers they are on the surface, and of course they would be isolated from one another.'"
Broke it. Does that mean it's safe now? http://www.google.com/404
(let's call them DesktopApps)
Let's not.
Everything is better with chainsaws.
So we would have no clue as to where we were taken?
Yeah, that must be good security
So then I'd end up with about 100 "Apps" on my desktop, which all might or might not behave a bit differently, and every time I want to switch to another site, I have to switch the app? How would I follow links outside of the app? Would there still be a way to find websites/desktopapps? If so, what makes sure that those aren't malware?
Yeah. Because nobody would ever hack/write a virus for the BofA DesktopApp that would collect login credentials, etc.
How would I know my desktop app is not infected? At least my browser may show an incorrect URL.
They are not widely used. Chrome and Firefox have tools to do this. Chrome's is hidden in the Tools menu and no one uses it. Firefox's is a separate application or an add-on. Again, it never caught on.
Also, now for every new website that launches I have to download software and run it on my computer? Yes, that definitely sounds safer.
What happens to cross-site links? Are you just going to block them to keep the user contained? This will make for a poor UX.
Most of what we want on the web is text and static images. Tables are nice. Maybe you need a handful of tags. Let the browser handle layout. That would be much easier to secure than the dynamic fustercluck we have now. There are probably more APIs than there were tags in 1999. There are probably hundreds of functions in your browser that expose security flaws. We could dump all of them and they wouldn't be missed.
Slashdot needs a handful of tags and good old CGI. That's all.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
This sounds great in theory, but I don't want to install my bank's software. Not only is it likely to create security holes (banks aren't famous for the software development skills), but I wouldn't trust them not to abuse the privilege and mine my personal data.
Frankly, I'll take the current internet with all its warts and diseases over some centralized, walled-garden approach that will STILL suffer from the same things, just in a different mechanic. The bottom line is how you decide what to trust in any system.
I'd submit that the problem isn't that the internet is the Wild Wild West, it's that it is the Wild Wild West without any sheriffs or cowboys. No, I'm not talking about regulation of the internet; I'm talking about people who break laws (fraud, theft, etc.) being found and prosecuted regardless of what tool (postal system, telephones or internet) they used to do it.
Solved!
What is safe and secure? I don't think anyone will agree on the complete definition of this. The government will have its definition. The MPAA/RIAA will have their own definition. I as a hacker have my definition. I prefer the way the internet is, because I can make it as safe or as unsafe as I choose. I don't need anyone else to define those terms for me.
Did he just re-invent client-server desktop apps?
outlining why, everyone else is covering it pretty well, but this is an incredibly awful idea. And its originator is an idiot as is he who decided this was worthy of posting to /.
I want the wild wild web, where the deer and the antelope roam, and the skies are (not cloudy) all day, not some locked-down police-state prison-cell silo-world of commercial money-sucking, mind-***king apps.
Where are we going and why are we in a handbasket?
Wouldn't it just be easier to have your browser only access URLs matching the domain that you're on? You know, since that's what I want? I mean, we'd be blocking 90% of the tracking systems out there. But on the plus side, we'd be saving me 90% of the blocking that I'm currently doing anyway.
Alternatively, we can notice something quite obvious. It's fine the way it is. We're never going to have a world where everybody's safe from everything. I'm ok with being at risk of my computer breaking. That's just perfectly fine. Let criminals focus their efforts in that direction. It's way better than train robberies.
Incidentally, you guys do know that we drive on highways at up to 150 kph with the only thing separating us from on-coming traffic being a narrow strip of yellow paint -- and often it's dashed. And we assume that there isn't any horrible debris on that same road. Really, malware doesn't concern me -- and every dollar I earn comes from my work at the computer.
Enjoy your day. Maybe you shouldn't eat at random restaurants either.
Wow. That is a really stupid idea.
This kind of stuff reminds me of the times of AOL and Compuserve, when everybody used an 'App' and this was all replaces by a.... WEB BROWSER!!! And remember, a browser is not only for the Web, it can understand other protocols other than http or https, like ftp, so it's really about flexibility of the oh! magical thing called a URL :)
Or does he just want publicity?
This is an extreme solution to something that is not really a current a problem and it has issues of its own.
The two main consequences of Desktop apps to me is you have to get them installed keep and keep them updated everywhere (and according to him you can't trust a browser download) and these apps will be OS specific.
Someone would make a lot of money somewhere getting this enforced and it would require creating an appstore/repo for every platform where you could get these from. This seems like a great chance to make parts of the web specific to a OS.
What you could do without breaking anything is have a site broadcast in the header that they want private sandbox from the rest of your running web-pages and only allow the browser to send and receive data to the provided site. It would break advertising but that’s necessary to be secure anyway.
I've been LOL about this idea, but Maybe, just Maybe... what if they had a thundering herd of VNC servers in da cloud and the "website" is just a VNC client?
No need for legacy HTML shit simulating a client server app in the most complicated byzantine and slow means possible... Have a couple traditional client server apps for different resolutions, like my full size high res desktop and another VNC server for my tiny little phone. Each VNC server is a cloud image, created when I connect and vaporized when I disconnect for "security".
Basically your "website" is an icon running your off the shelf VNC viewer and a hard coded hostname. Thats all.
Its not that horrible of an idea, in that case. Now using HTTP as the transport instead of VNC would be pretty dumb, but VNC as a transport? Hmm maybe.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
In a supposedly post-PC world where the desktop is dead and every "website" is just a fucking application behind a little square icon, does it even fucking matter, anymore?
Ha, I do all my deposits and withdrawals from the ATM just inside the front door of my bank, mostly during banking hours. No, dealing with people is not worth the extra effort.
Dan Walsh, one of the principal developers of SELinux has blogged about a way to do this on your linux desktop box. You can start a "virgin" browser in it's own Xserver with optional presets you copy in the loopmounted container. Every time you run it, it starts the same fresh image built on the fly when you run the command. This makes it easy to have separate browsers for each task you want isolated from the rest of your web experience or your desktop computer. Even if it gets infected, it will not remain on your computer and the infection is gone as soon as you close the browser. He's not the only one that has written about it, there are many more people giving useful examples on the web.
I was promised a flying car. Where is my flying car?
The net is unsafe because it's full of idiots. That's why the rest of us needs to become complete morons, too. And use "apps" with just one button. Because two buttons are not stupid enough! Two buttons are smarter than one! So one button is not so smart!! Great plan! So logical. I am with you. Now, where's that #*'&%! button, again?
Oh, the beautiful gloss of greality!
Firefox used to have the functionality of making a website into an app via the Prism project. That project has now been discontinued, but you can do the same thing with:
firefox.exe -P BankUser -no-remote https://mybank.com
This lets you create a dedicated user for a site, with its own options and data. Turn off all of the toolbars in the view menu, and, while you're not restricted from going to other sites with this browser, you have less temptation to do so. Each account also remembers the window position, so you can have, e.g. a tiny window for time.gov/widget.html.
The idea is just completely tangential to what the problem is. The problem isn't that "If we just had a secure little app that could ONLY go to my Bank, everything would be OK". The problem is that the internet is a series of interconnected sites, many of which you discover without even realizing what the site is, compounded by the fact that browsers aren't secure. We all know once the machine is infected from visiting a compromised site, all bets are off.
Drive bys happen because the browser isn't secure, not because people are supposed to have some inherent understanding of what sites are "good" and what sites are "bad". I've worked security in multiple different capacities, and even I can't tell you if a site is going to be "safe" or not. That's because a lot of drivebys are from the 3rd party adware server getting infected. Despite what some totally uninformed IT professionals will tell you, you can't protect yourself by just "knowing where not to click" or "knowing not to click on the fake anti-virus thing". Sadly, I know IT professionals that absolutely SWEAR that this is how people get malware, despite me repeatedly providing them examples of how that's just not that case.
AccountKiller
My thoughts exactly. So - my google search app wouldn't point me to web pages - instead it would point me to apps I could download and install for each different web page. So now I'm installing thousands of web apps? THAT sounds like a security nightmare! Who is going to watch over the security of the apps? Google? They are already having problems with the Android apps.
...from users! Spokesperson says "the walled garden is now complete". Story at 11.
...but my mobile phone browser has a URL bar. I use it, too.
The author speaks of things like Java, javascript, iframes, CSS, plugins, ActiveX etc./et al - well, per my subject-line above? I pretty much ALREADY have been doing what he noted, via OPERA & using it in creating SITE-SPECIFIC browsing setups!
How so?? Easily, since Opera allows "By Site" Preferences is how!
1st I setup a GLOBAL POLICY (default for EVERY site under the sun) which DISALLOWS the above risky elements.
Then, as needed, I allow certain sites to access those risky features, ONLY as needed for full site functionality on THAT SITE ONLY (the rest follow "global policy" of NOT allowing ANY of those items to function).
* ANYONE "catching my drift" here by this point?
APK
P.S.=> The rest of just good use of "layered security"/"defense-in-depth" in custom hosts files usage, NoScript on Mozilla products, & system-wide "security-hardening"...
ALL are covered in my other post here -> http://it.slashdot.org/comments.pl?sid=3237707&cid=41913653 and, yes - it actually WORKS...
... apk
So this is yet another stooge calling for destruction of multi-purpose user-empowering system that is modern desktop in favor of single-purpose user-disempowering single application per single task model?
The unsaid main advantage is of course that stranglehold on the user granted by this model makes user a much better product to monetize.
When talking about the expansion of web technologies, it is important that CSS3 is Turing-complete.
Which provokes the question of why we didn't just settle on a Turing-complete language or graphics library to begin with.
Ultimately, I don't think that web browsers are the security problem they're described as. Modern browsers have auto-update, rapid release schedules, and bug bounty programs. Most of them are also open-source to some degree. Adobe software could not be expunged from this Earth too quickly, but aside from that we're pretty well aware of the browser as the largest attack surface in modern systems, to the point where the easy hacks require multiple exploits.
Web technology is a strange and complex beast, but let's hold off on scrapping it until we actually have some web browsers on Kaspersky's Top 10 list.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Or you could stick Firefox in a chroot and use HTTPS Everywhere. And y'know, NoScript and Adblock Plus and Ghostery -- but I presume you're using those already. SSL certs aren't necessarily handled by the browser anyway, but I think what you want there is the also-extant OCSP. Or if you wanted to extend the chroot concept to your entire OS, you can have that too.
Why do you need desktop links again? I'm having a failure of imagination as to how that might actually improve anything.
bee-tee-dub, you should keep in mind that Security and Usability are usually at odds with each other. We already have the technological solutions at hand, if you're not already using them, perhaps there's a reason why.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
http://www.guidebookgallery.org/pics/gui/desktop/full/riscos311.png
Perl Programmer for hire
So this guy proposes to improve security by replacing web sites with executable applications on the user's machine? What's wrong with this picture?
The author argues that disallowing clicks on transparent objects would break too much. It would break some minor functions on a few pages at Google and Facebook, and Yahoo if anybody still cares. They can fix that; it's bad coding, not something that they needed to do. It would break thousands of annoying popups. Win. If the pixel clicked isn't at least 25% opaque, the image doesn't get the click. This enforces visual fidelity.
(I put that in my image buttons - if you click on the image rectangle, but not on the round button, nothing happens.)
Give me the funding to take care of my basic bills, and I CAN create the internet's fully viable sentient "immune system" within three months of inception. I'm not even joking.
There, I fixed that for you.
Korma: Good
Too bad, I had five points yesterday, and now I know I *spoiled* them :-D
Herve S.
and still does it btw, they managed to survive all this time ;-)
iCab, the most unknown browser in the whole universe -but they invented ad-filtering, 10 years before Mozilla was even born.
I think what's important indeed now is the behavior of tablet browsers.
I've seen an interesting discussion on SimpleBrowser, again a very minor one (on Blackberry Playbook, mind you!) that definitely turned around this thematics...
Herve S.
I've been playing with all three a little lately. There's a fair amount of cross-platform capability there, with fairly capable html browser classes available.
Not to mention, libre.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Playing devil's advocate here:
I believe the author is implying that operating systems have traditionally done a better job of handling resource security, interprocess communications, and application isolation. The suggestion is that the browser was not originally designed as a platform for execution: it was designed as an application for viewing information. Therefore, I think the author is implying that the solution is to minimize the "duplication of effort", i.e. minimize the browser's role in negotiating authentication, authorization, data transmission, etc. since these are better handled or already handled at a lower level in the stack.
Does anyone find this line of thinking less controversial? I don't think the suggestion was to eliminate the most important characteristic of the Internet: open connectivity.
Is there any value to be found in layering applications on top of each other in this way where each application provides another abstraction layer for resource security or interprocess communications?
Web developers need a way to set custom security policies for there website and sandbox it. If the policies are not enforced(properly) then the website should not load.
Why not use something like Qubes: run each browser session inside its own throw-away, cleanly insulated VM?
cpghost at Cordula's Web.
what if the app itself gets infected ? false sense of security ? You'd still have to keep scanning at least once a day, no ?
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?