Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Web Won't Be Safe Or Secure Until We Break It

Posted by Soulskill on from the i'll-get-the-hammer dept.

CowboyRobot writes "Jeremiah Grossman of Whitehat Security has an article at the ACM in which he outlines the current state of browser security, specifically drive-by downloads. 'These attacks are primarily written with HTML, CSS, and JavaScript, so they are not identifiable as malware by antivirus software in the classic sense. They take advantage of the flawed way in which the Internet was designed to work.' Grossman's proposed solution is to make the desktop browser more like its mobile cousins. 'By adopting a similar application model on the desktop using custom-configured Web browsers (let's call them DesktopApps), we could address the Internet's inherent security flaws. These DesktopApps could be branded appropriately and designed to launch automatically to Bank of America's or Facebook's Web site, for example, and go no further. Like their mobile application cousins, these DesktopApps would not present an URL bar or anything else making them look like the Web browsers they are on the surface, and of course they would be isolated from one another.'"

15 of 180 comments (clear)

  1. Broke it by k28 · · Score: 5, Funny

    Broke it. Does that mean it's safe now? http://www.google.com/404

  2. Uh... by Antipater · · Score: 5, Informative

    (let's call them DesktopApps)

    Let's not.

    --
    Everything is better with chainsaws.
    1. Re:Uh... by SJHillman · · Score: 4, Informative

      So they're... apps. People have been calling them apps long before the mobile market started calling them apps.

    2. Re:Uh... by zlives · · Score: 5, Insightful

      woo hoo one app per website thats just what we need. This is why MS came with the tiles...

    3. Re:Uh... by mcgrew · · Score: 4, Informative

      That's not what he (TFA guy) means by it. He means that rather than typing mybank.com into your URL bar or going to a browser bookmark, the bank has a dedicated program that isn't a browser that resides on your computer that connects to your bank and nowhere else. I might even bank online if they had something like this.

      --
      Free Martian Whores!
    4. Re:Uh... by jandrese · · Score: 5, Insightful

      Given the quality of your average bank website, I seriously doubt the quality of any application they would write. Plus it would be Windows only of course and barely maintained. I don't see how this is a win over a website.

      --

      I read the internet for the articles.
    5. Re:Uh... by Anonymous Coward · · Score: 4, Insightful

      No. They've been calling them "computer programs" and "applications". They became "apps" thanks to the mobile market.

      That's not to say *no one ever* called them "apps" before, but the widespread usage of the term is entirely due to the mobile market.

    6. Re:Uh... by vlm · · Score: 5, Insightful

      You forgot they'll only certify it for certain OS and if detected on the wrong one it'll refuse to work and pop up a "please upgrade" message.

      And it'll demand you downgrade new platforms. So your vista laptop can't log into your bank.. pop up claims you need to "upgrade" to XP or more likely 98.

      "This page best viewed 640x480x8... here, since I'm a poorly written app now with system access instead of being a poorly written webpage, let me reconfigure your video card to be BankOptimized(tm)(c)"

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    7. Re:Uh... by mellon · · Score: 5, Interesting

      So basically he's proposing that instead of using a carefully insulated browser, we install code on our computers provided by banks that will never be updated, and will be full of unpatched bugs. And this will make our machines more secure. Are we sure this guy is a white hat?

    8. Re:Uh... by Guignol · · Score: 4, Funny

      In fact the term "webapp" has been in use (and still is), we believe, since hundreds of millions years by the first frogs, long before the mobile revolution

  3. Nobody would ever hack that. by kwerle · · Score: 5, Insightful

    Yeah. Because nobody would ever hack/write a virus for the BofA DesktopApp that would collect login credentials, etc.

  4. Brilliant! by SavSoul · · Score: 4, Insightful

    Did he just re-invent client-server desktop apps?

  5. I'm not even going to bother... by YodasEvilTwin · · Score: 4, Insightful

    outlining why, everyone else is covering it pretty well, but this is an incredibly awful idea. And its originator is an idiot as is he who decided this was worthy of posting to /.

  6. Re:An App For Every Website by Anonymous Coward · · Score: 5, Insightful

    I think I'll just stick with "not being a fucking moron." Kept me pretty safe so far.

  7. Re:An App For Every Website by Nemyst · · Score: 5, Funny

    Someone would come up with another app that let you search through your other apps. They could call it... a search engine, maybe?

    Then we'd rename those apps as "web pages", as they're pages networked together in a giant web.

    Then someone else would think of making a single, unified app viewer, which would let you browse through multiple apps in an interlinked fashion. Browser could be a good name for that.

    Dude, that sounds so revolutionary. Nobody would've thought of that before.