Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Web Won't Be Safe Or Secure Until We Break It

Posted by Soulskill on from the i'll-get-the-hammer dept.

CowboyRobot writes "Jeremiah Grossman of Whitehat Security has an article at the ACM in which he outlines the current state of browser security, specifically drive-by downloads. 'These attacks are primarily written with HTML, CSS, and JavaScript, so they are not identifiable as malware by antivirus software in the classic sense. They take advantage of the flawed way in which the Internet was designed to work.' Grossman's proposed solution is to make the desktop browser more like its mobile cousins. 'By adopting a similar application model on the desktop using custom-configured Web browsers (let's call them DesktopApps), we could address the Internet's inherent security flaws. These DesktopApps could be branded appropriately and designed to launch automatically to Bank of America's or Facebook's Web site, for example, and go no further. Like their mobile application cousins, these DesktopApps would not present an URL bar or anything else making them look like the Web browsers they are on the surface, and of course they would be isolated from one another.'"

36 of 180 comments (clear)

  1. Broke it by k28 · · Score: 5, Funny

    Broke it. Does that mean it's safe now? http://www.google.com/404

    1. Re:Broke it by Jane+Q.+Public · · Score: 3, Insightful

      Sure, it's safe. But now you have 147 apps for using the internet when you used to have 1.

      (Each of them with their own bugs.)

      Yeah. That's an improvement. Sure.

  2. Uh... by Antipater · · Score: 5, Informative

    (let's call them DesktopApps)

    Let's not.

    --
    Everything is better with chainsaws.
    1. Re:Uh... by SJHillman · · Score: 4, Informative

      So they're... apps. People have been calling them apps long before the mobile market started calling them apps.

    2. Re:Uh... by zlives · · Score: 5, Insightful

      woo hoo one app per website thats just what we need. This is why MS came with the tiles...

    3. Re:Uh... by mcgrew · · Score: 4, Informative

      That's not what he (TFA guy) means by it. He means that rather than typing mybank.com into your URL bar or going to a browser bookmark, the bank has a dedicated program that isn't a browser that resides on your computer that connects to your bank and nowhere else. I might even bank online if they had something like this.

      --
      Free Martian Whores!
    4. Re:Uh... by jandrese · · Score: 5, Insightful

      Given the quality of your average bank website, I seriously doubt the quality of any application they would write. Plus it would be Windows only of course and barely maintained. I don't see how this is a win over a website.

      --

      I read the internet for the articles.
    5. Re:Uh... by Anonymous Coward · · Score: 4, Insightful

      No. They've been calling them "computer programs" and "applications". They became "apps" thanks to the mobile market.

      That's not to say *no one ever* called them "apps" before, but the widespread usage of the term is entirely due to the mobile market.

    6. Re:Uh... by justforgetme · · Score: 3, Informative

      Which is something that people could do for a very long time with stuff like firefox.
      Hell, in the last years (don't recall when exactly) firefox even made it a "framework", prism or what it is called, so you can create stand alone applications out of websites. You can even set rules about where the browser can go!

      Am I missing something?

      --
      -- no sig today
    7. Re:Uh... by vlm · · Score: 5, Insightful

      You forgot they'll only certify it for certain OS and if detected on the wrong one it'll refuse to work and pop up a "please upgrade" message.

      And it'll demand you downgrade new platforms. So your vista laptop can't log into your bank.. pop up claims you need to "upgrade" to XP or more likely 98.

      "This page best viewed 640x480x8... here, since I'm a poorly written app now with system access instead of being a poorly written webpage, let me reconfigure your video card to be BankOptimized(tm)(c)"

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    8. Re:Uh... by mellon · · Score: 5, Interesting

      So basically he's proposing that instead of using a carefully insulated browser, we install code on our computers provided by banks that will never be updated, and will be full of unpatched bugs. And this will make our machines more secure. Are we sure this guy is a white hat?

    9. Re:Uh... by CadentOrange · · Score: 3, Informative

      There's the Qt framework. It's C++, open source and a lot more popular than realBASIC.

    10. Re:Uh... by h4rr4r · · Score: 2

      Speaking of terrible websites Netflix is a great example. You have to mousehover to get a link to click on to see any useful information about a film.

      When it was less shiny you could click on the film name for that. Today it tries to stream.

    11. Re:Uh... by Synerg1y · · Score: 2

      Yes... firefox is really rooted into your system, registry read writes, lso's, appData, it doesn't need ANY of this to run, well maybe... appData, but I'd argue they should just use Sync (which is pretty cool btw). When I can sandbox a browser and have it run without breaking, the point of tfa will be achieved, but I've run firefox portable before, and performance leaves something to be desired, also I'm not sure how much of a footprint it leaves on your system.

      Also the author of the article doesn't have a clue, the "facebook" app isn't a browser, nor will it ever be, it's an API-enabled application. You can write it right now by selecting new windows form from visual studio and downloading the facebook api, so *shrug*. Why don't we? Well.. there's the browser, from which you can throw a bookmark on your desktop from.

    12. Re:Uh... by Anonymous Coward · · Score: 3, Funny

      Maybe we should mix "computer program" and "app" to form a new word. I suggest we call these things Crap.

    13. Re:Uh... by blade8086 · · Score: 2

      Nonononono - it needs WAY more CamelCase and much more CloudAjax.

      I propose they should be called:

      TiledInterfaceCloudAjaxCamelCaseDesktopAppsPod

      because it really gets to the substance of why these are truly beyond the 'tipping point' of being a disruptive game changer in the big data cloud revolution

    14. Re:Uh... by Guignol · · Score: 4, Funny

      In fact the term "webapp" has been in use (and still is), we believe, since hundreds of millions years by the first frogs, long before the mobile revolution

    15. Re:Uh... by Thiez · · Score: 2

      Except that telnet is unencrypted...

    16. Re:Uh... by tehcyder · · Score: 2

      Nonononono - it needs WAY more CamelCase and much more CloudAjax.

      I propose they should be called:

      TiledInterfaceCloudAjaxCamelCaseDesktopAppsPod

      because it really gets to the substance of why these are truly beyond the 'tipping point' of being a disruptive game changer in the big data cloud revolution

      Tsk tsk you didn't use the phrase "paradigm shift".

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  3. No URL bar by Anonymous Coward · · Score: 3, Insightful

    So we would have no clue as to where we were taken?
    Yeah, that must be good security

  4. An App For Every Website by Shinmera · · Score: 3, Insightful

    So then I'd end up with about 100 "Apps" on my desktop, which all might or might not behave a bit differently, and every time I want to switch to another site, I have to switch the app? How would I follow links outside of the app? Would there still be a way to find websites/desktopapps? If so, what makes sure that those aren't malware?

    1. Re:An App For Every Website by Anonymous Coward · · Score: 5, Insightful

      I think I'll just stick with "not being a fucking moron." Kept me pretty safe so far.

    2. Re:An App For Every Website by Nemyst · · Score: 5, Funny

      Someone would come up with another app that let you search through your other apps. They could call it... a search engine, maybe?

      Then we'd rename those apps as "web pages", as they're pages networked together in a giant web.

      Then someone else would think of making a single, unified app viewer, which would let you browse through multiple apps in an interlinked fashion. Browser could be a good name for that.

      Dude, that sounds so revolutionary. Nobody would've thought of that before.

    3. Re:An App For Every Website by swanzilla · · Score: 2

      I can't wait until somebody posts a Computer World DesktopApp on Slashdot, which turns out to be 17 DesktopApps.

      --
      0 = 1 + e^(Alt something)
    4. Re:An App For Every Website by SeaFox · · Score: 2

      Not only that, it sounds like there would no longer be a general "browser".
      Want a presence on the Internet? You gotta code your own app now, and have people download it to see your site.
      Other than that, you have to use one of the corporate world's pre-approved places (like a page on a social-networking site).

      The Internet is now a series of "channel" in effect at this point, just like cable TV, almost all controlled by companies. ...and I bet none of those web apps will spy on their users once installed on the computer. No siree.

  5. Nobody would ever hack that. by kwerle · · Score: 5, Insightful

    Yeah. Because nobody would ever hack/write a virus for the BofA DesktopApp that would collect login credentials, etc.

  6. We could just go back to Web 1.0 by istartedi · · Score: 2, Insightful

    Most of what we want on the web is text and static images. Tables are nice. Maybe you need a handful of tags. Let the browser handle layout. That would be much easier to secure than the dynamic fustercluck we have now. There are probably more APIs than there were tags in 1999. There are probably hundreds of functions in your browser that expose security flaws. We could dump all of them and they wouldn't be missed.

    Slashdot needs a handful of tags and good old CGI. That's all.

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  7. Decentralization has costs and benefits by Loopy · · Score: 3, Insightful

    Frankly, I'll take the current internet with all its warts and diseases over some centralized, walled-garden approach that will STILL suffer from the same things, just in a different mechanic. The bottom line is how you decide what to trust in any system.

    I'd submit that the problem isn't that the internet is the Wild Wild West, it's that it is the Wild Wild West without any sheriffs or cowboys. No, I'm not talking about regulation of the internet; I'm talking about people who break laws (fraud, theft, etc.) being found and prosecuted regardless of what tool (postal system, telephones or internet) they used to do it.

  8. Brilliant! by SavSoul · · Score: 4, Insightful

    Did he just re-invent client-server desktop apps?

    1. Re:Brilliant! by jmauro · · Score: 3, Funny

      Yes.

      But for Security! Instead of you know, what ever reason we used them before then got rid of them the first time around.

  9. I'm not even going to bother... by YodasEvilTwin · · Score: 4, Insightful

    outlining why, everyone else is covering it pretty well, but this is an incredibly awful idea. And its originator is an idiot as is he who decided this was worthy of posting to /.

  10. Re:infected desktop app by darkHanzz · · Score: 2

    The same holds for these apps. Same difference.

  11. Yeah. Sounds F***ing Awful by presidenteloco · · Score: 3, Interesting

    I want the wild wild web, where the deer and the antelope roam, and the skies are (not cloudy) all day, not some locked-down police-state prison-cell silo-world of commercial money-sucking, mind-***king apps.

    --

    Where are we going and why are we in a handbasket?
  12. SELinux Containers can do this by dutchwhizzman · · Score: 3, Interesting

    Dan Walsh, one of the principal developers of SELinux has blogged about a way to do this on your linux desktop box. You can start a "virgin" browser in it's own Xserver with optional presets you copy in the loopmounted container. Every time you run it, it starts the same fresh image built on the fly when you run the command. This makes it easy to have separate browsers for each task you want isolated from the rest of your web experience or your desktop computer. Even if it gets infected, it will not remain on your computer and the infection is gone as soon as you close the browser. He's not the only one that has written about it, there are many more people giving useful examples on the web.

    --
    I was promised a flying car. Where is my flying car?
  13. Completely misses the point. by Vellmont · · Score: 3, Interesting

    The idea is just completely tangential to what the problem is. The problem isn't that "If we just had a secure little app that could ONLY go to my Bank, everything would be OK". The problem is that the internet is a series of interconnected sites, many of which you discover without even realizing what the site is, compounded by the fact that browsers aren't secure. We all know once the machine is infected from visiting a compromised site, all bets are off.

    Drive bys happen because the browser isn't secure, not because people are supposed to have some inherent understanding of what sites are "good" and what sites are "bad". I've worked security in multiple different capacities, and even I can't tell you if a site is going to be "safe" or not. That's because a lot of drivebys are from the 3rd party adware server getting infected. Despite what some totally uninformed IT professionals will tell you, you can't protect yourself by just "knowing where not to click" or "knowing not to click on the fake anti-virus thing". Sadly, I know IT professionals that absolutely SWEAR that this is how people get malware, despite me repeatedly providing them examples of how that's just not that case.

    --
    AccountKiller
  14. ...but who watches the Watchmen? by Andy+Prough · · Score: 2

    My thoughts exactly. So - my google search app wouldn't point me to web pages - instead it would point me to apps I could download and install for each different web page. So now I'm installing thousands of web apps? THAT sounds like a security nightmare! Who is going to watch over the security of the apps? Google? They are already having problems with the Android apps.