The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Finally, Somebody “Gets” Secure Web Browsing and Does It The Right Way


I’ve ranted before about how insecure web browsers are, because they trust themselves, their libraries and user-added plug-ins too much.  At a very high level, they have responsibilities that can be likened to those of operating systems, because they run potentially dangerous code from different sources (users vs web sites) and need to do it separately from each other and from root (the user account running the browser), i.e., securely.  The web browsers of today look as ridiculous to me as the thought of using Windows 95 to run enterprise servers.  Run an insecure plugin , get owned (e.g., Quicktime).  Enable JavaScript, VBScript, ActiveX, Java, get owned.  Get owned because the web browser depends on libraries that have more than 6-month-old vulnerabilities (1-year old depending on how you count), and the whole thing collapses like a house of cards.  As long as they are internally so open and naive, web browsers will keep having shameful security records and be unworthy of our trust. 

IE 7’s protected mode needs to be acknowledged as a security effort, but CanSecWest proved that it didn’t isolate Flash well enough.  It’s not clear if a configuration issue was involved, but I don’t care—most people won’t configure it right either then.  IE 7’s protected mode is a collection of good measures, such as applying least privilege and separation of privilege, and intercepting system API calls, but it is difficult to verify and explain how it all fits together, and be sure that there are no gaps.  More importantly, it relies heavily on the slippery slope of asking the user to appropriately and correctly grant higher permissions.  We know where that leads—most everything gets granted and the security is defeated.

Someone not only thought of a proper security architecture for web browsers but did it (see “Secure web browsing with the OP web browser” by Chris Grier, Shuo Tang, and Samuel T. King).  There’s a browser kernel, and everything else is well compartmentalized and isolated.  Similarly to the best operating system architectures for security, the kernel is very small (1221 lines of code), has limited functionality, and doesn’t run plug-ins inside kernel space (I’d love to have no drivers in my OS kernel as well…).  It’s not clear if it’s a minimal or “true” micro-kernel—the authors steer clear of that discussion.  Even malicious hosted ads (e.g., Yahoo! has had repeated experiences with this) are quarantined with a “provider domain policy”.  This is an interesting read, and very encouraging.  I’d love to play with it, but I can’t find a download.


Posted by Sicurezza, ICT ed altro » Blog Archive &raqu
on Thursday, May 15, 2008 at 03:35 AM

[...] titolo non è mio, è una traduzione approssimativa di quello di questo post di Spafford. Anche se in questi giorni sono molto impegnato e non ho tempo per scrivere, non potevo non metterlo [...]

Posted by Joseph Giron
on Thursday, May 29, 2008 at 02:56 AM

There is only 1 truly secure browser these days. Like it or not, its lynx. No images, just text. No script code, no functionality, just the internet as it was in 1993.

There will always be browser vulnerabilities, but the rate at which they are discovered depends on which browser is in use the most. IE hold the record for users, so it also hold the record for bugs. As Firefox becomes more popular, the security holes follow. This being said, if one were to use something like…avant, or something to that effect, you’d be safe in the short run. If the popularity grows, then you’re screwed and have to pick a new one.

Posted by Pascal Meunier
on Thursday, May 29, 2008 at 04:56 AM

I am familiar with this line of reasoning.  The generalizations it uses are true enough with the current browser architectures.  However, we can do better, and that publication describes how. The point is not to create an entire software product with zero flaws, but to have an architecture such that: a) the flaws that are present, and that we assume will *all* be found, have smaller consequences and b) only a very small kernel needs to be close to flawless.  If we could create large software products with zero flaws, then we wouldn’t need this better architecture.  Even if all the flaws were found in the case of a popular browser, you’d be much less likely to be “screwed”, if all the parts were well isolated.

Posted by Zonnepanelen
on Sunday, July 6, 2008 at 02:58 PM

Should we really want the internet as it was in 1993? Internet has evolved (and still is evolving) to a higher level. In my opinion, this evolvement is a positive thing! I wouldn’t want the internet of 1993 back smile

Posted by Ray
on Friday, July 11, 2008 at 03:32 PM

Joseph Giron: right lynx is secure because ligth and text only, but i think when we browsing, we not just to read the text, how nice if we browsing only see the text in black box :D

For me, secure or not depend on your PC protection.

Leave a comment

Commenting is not available in this section entry.