×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

The Web Won't Be Safe Or Secure Until We Break It

Soulskill posted about 2 years ago | from the i'll-get-the-hammer dept.

Security 180

CowboyRobot writes "Jeremiah Grossman of Whitehat Security has an article at the ACM in which he outlines the current state of browser security, specifically drive-by downloads. 'These attacks are primarily written with HTML, CSS, and JavaScript, so they are not identifiable as malware by antivirus software in the classic sense. They take advantage of the flawed way in which the Internet was designed to work.' Grossman's proposed solution is to make the desktop browser more like its mobile cousins. 'By adopting a similar application model on the desktop using custom-configured Web browsers (let's call them DesktopApps), we could address the Internet's inherent security flaws. These DesktopApps could be branded appropriately and designed to launch automatically to Bank of America's or Facebook's Web site, for example, and go no further. Like their mobile application cousins, these DesktopApps would not present an URL bar or anything else making them look like the Web browsers they are on the surface, and of course they would be isolated from one another.'"

Sorry! There are no comments related to the filter you selected.

Broke it (5, Funny)

k28 (2593665) | about 2 years ago | (#41911751)

Broke it. Does that mean it's safe now? http://www.google.com/404 [google.com]

It sure is! (-1)

Anonymous Coward | about 2 years ago | (#41912079)

Jeremiah Grossman

An Amish Jew said so!

Re:Broke it (1)

Anonymous Coward | about 2 years ago | (#41912111)

That's too insecure.

https://www.google.com/404 [google.com] . There. Now it's safe.

Uh... (5, Informative)

Antipater (2053064) | about 2 years ago | (#41911783)

(let's call them DesktopApps)

Let's not.

Re:Uh... (4, Informative)

SJHillman (1966756) | about 2 years ago | (#41911793)

So they're... apps. People have been calling them apps long before the mobile market started calling them apps.

Re:Uh... (4, Insightful)

Anonymous Coward | about 2 years ago | (#41912065)

No. They've been calling them "computer programs" and "applications". They became "apps" thanks to the mobile market.

That's not to say *no one ever* called them "apps" before, but the widespread usage of the term is entirely due to the mobile market.

Re:Uh... (1)

cant_get_a_good_nick (172131) | about 2 years ago | (#41912619)

Everything is an abbreviation to Computer geeks. Calling them apps has always been common.

The original MacApp [wikipedia.org] was a framework for building apps on the Mac. Web Applications have been WebApps since the 90's.

Re:Uh... (1)

vikmoose (2744195) | about 2 years ago | (#41912185)

Yeah I've always called them apps. And... DesktopApps? I don't think that'll catch on. Sounds like what Steam is.

webapps (0)

Anonymous Coward | about 2 years ago | (#41912973)

You can install them from Firefox by going here [mozillalabs.com] and here [mozilla.org] .

Re:Uh... (1)

SirGarlon (845873) | about 2 years ago | (#41911811)

I call them "bookmarks." I've been using them for years.

Re:Uh... (4, Informative)

mcgrew (92797) | about 2 years ago | (#41912007)

That's not what he (TFA guy) means by it. He means that rather than typing mybank.com into your URL bar or going to a browser bookmark, the bank has a dedicated program that isn't a browser that resides on your computer that connects to your bank and nowhere else. I might even bank online if they had something like this.

Re:Uh... (0)

Anonymous Coward | about 2 years ago | (#41912027)

So something more akin to a telnet session?

Re:Uh... (1)

vlm (69642) | about 2 years ago | (#41912139)

So something more akin to a telnet session?

LOL

"vlm@nonofyourbusiness:~$ tn5250 legacy_as400.big-bank.com"

I'm sure they'll be places using c3270 too!

Re:Uh... (5, Insightful)

jandrese (485) | about 2 years ago | (#41912029)

Given the quality of your average bank website, I seriously doubt the quality of any application they would write. Plus it would be Windows only of course and barely maintained. I don't see how this is a win over a website.

Re:Uh... (5, Insightful)

vlm (69642) | about 2 years ago | (#41912171)

You forgot they'll only certify it for certain OS and if detected on the wrong one it'll refuse to work and pop up a "please upgrade" message.

And it'll demand you downgrade new platforms. So your vista laptop can't log into your bank.. pop up claims you need to "upgrade" to XP or more likely 98.

"This page best viewed 640x480x8... here, since I'm a poorly written app now with system access instead of being a poorly written webpage, let me reconfigure your video card to be BankOptimized(tm)(c)"

Re:Uh... (1)

Quiet_Desperation (858215) | about 2 years ago | (#41912223)

Maybe we'd see the emergence of more cross platform tools. All I can think of now is RealBasic which can compile (nearly) the same code into Windows, Mac and Linux.

Re:Uh... (3, Informative)

CadentOrange (2429626) | about 2 years ago | (#41912277)

There's the Qt framework. It's C++, open source and a lot more popular than realBASIC.

Re:Uh... (1)

lattyware (934246) | about 2 years ago | (#41912411)

Qt, GTK+, Python, Java+Swing/SWT, TCL/TK - off the top of my head.

Re:Uh... (1)

ZeroPly (881915) | about 2 years ago | (#41913021)

Why does it have to be just Windows? Write it in a cross platform language like Java. The benefit then is that any modern browser can run the app.

Re:Uh... (1)

poetmatt (793785) | about 2 years ago | (#41912133)

Why? It would absolutely be less secure than the bank's own approach. You really think an individual can be trusted to keep things secure better than a large company? Just because the hackers are better than the banks doesn't mean that any user can do anything worth a damn to compare as far as security does.

Meanwhile, if you're worried about your bank security, then stick with cash.

Re:Uh... (3, Informative)

justforgetme (1814588) | about 2 years ago | (#41912159)

Which is something that people could do for a very long time with stuff like firefox.
Hell, in the last years (don't recall when exactly) firefox even made it a "framework", prism or what it is called, so you can create stand alone applications out of websites. You can even set rules about where the browser can go!

Am I missing something?

Re:Uh... (2)

Synerg1y (2169962) | about 2 years ago | (#41913111)

Yes... firefox is really rooted into your system, registry read writes, lso's, appData, it doesn't need ANY of this to run, well maybe... appData, but I'd argue they should just use Sync (which is pretty cool btw). When I can sandbox a browser and have it run without breaking, the point of tfa will be achieved, but I've run firefox portable before, and performance leaves something to be desired, also I'm not sure how much of a footprint it leaves on your system.

Also the author of the article doesn't have a clue, the "facebook" app isn't a browser, nor will it ever be, it's an API-enabled application. You can write it right now by selecting new windows form from visual studio and downloading the facebook api, so *shrug*. Why don't we? Well.. there's the browser, from which you can throw a bookmark on your desktop from.

Re:Uh... (1)

Quiet_Desperation (858215) | about 2 years ago | (#41912203)

You explained it much better than the summary. So more like Netflix's app.

Actually, I'd be happy to give this a shot. The majority of web apps I've used are just horrible. My credit union just redid their online bill pay, and it's clunky as hell, all to make it look like an application and not a basic web form you fill in and submit, the latter having worked perfectly fine for the past seven years. So now it's (sort of) shiny, and takes four times as long to pay the bills.

Re:Uh... (2)

h4rr4r (612664) | about 2 years ago | (#41912311)

Speaking of terrible websites Netflix is a great example. You have to mousehover to get a link to click on to see any useful information about a film.

When it was less shiny you could click on the film name for that. Today it tries to stream.

Re:Uh... (1)

ArcadeMan (2766669) | about 2 years ago | (#41912497)

I'm glad to see I'm not the only one annoyed by that "feature". Clicking on the poster should lead me to a page about the movie with the description, ratings, comments from other viewers and a "play movie" button.

That's especially annoying because I don't use my computer to watch the movies, I only use the Netflix website to check for ratings and comments. I'm never going to install SilverLight on my Mac, so they can shove it where the sun don't shine.

Re:Uh... (0)

Anonymous Coward | about 2 years ago | (#41912221)

Woah, woah, woah, let's not get ahead of ourselves. Installing software on a local computer? That's crazy talk. Everyone knows software only lives in the cloud.

Re:Uh... (5, Interesting)

mellon (7048) | about 2 years ago | (#41912273)

So basically he's proposing that instead of using a carefully insulated browser, we install code on our computers provided by banks that will never be updated, and will be full of unpatched bugs. And this will make our machines more secure. Are we sure this guy is a white hat?

Re:Uh... (1)

Synerg1y (2169962) | about 2 years ago | (#41913139)

This is why security professionals have the rep that they do... and why all our base belong to the Chinese hackers. And yes I agree, his idea is regressive.

Re:Uh... (5, Insightful)

zlives (2009072) | about 2 years ago | (#41911917)

woo hoo one app per website thats just what we need. This is why MS came with the tiles...

...but who watches the Watchmen? (2)

Andy Prough (2730467) | about 2 years ago | (#41912855)

My thoughts exactly. So - my google search app wouldn't point me to web pages - instead it would point me to apps I could download and install for each different web page. So now I'm installing thousands of web apps? THAT sounds like a security nightmare! Who is going to watch over the security of the apps? Google? They are already having problems with the Android apps.

Re:Uh... (1)

Bogtha (906264) | about 2 years ago | (#41912123)

They already exist, they are called Site-Specific Browsers.

SELinux Containers can do this (3, Interesting)

dutchwhizzman (817898) | about 2 years ago | (#41912417)

Dan Walsh, one of the principal developers of SELinux has blogged about a way to do this on your linux desktop box. You can start a "virgin" browser in it's own Xserver with optional presets you copy in the loopmounted container. Every time you run it, it starts the same fresh image built on the fly when you run the command. This makes it easy to have separate browsers for each task you want isolated from the rest of your web experience or your desktop computer. Even if it gets infected, it will not remain on your computer and the infection is gone as soon as you close the browser. He's not the only one that has written about it, there are many more people giving useful examples on the web.

Re:Uh... (0)

Anonymous Coward | about 2 years ago | (#41912125)

Hahahahahah yea lets not do that ..

Re:Uh... (0)

Anonymous Coward | about 2 years ago | (#41912257)

Will they make these custom applications for every possible OS? If not, it's pointless.

No URL bar (3, Insightful)

Anonymous Coward | about 2 years ago | (#41911785)

So we would have no clue as to where we were taken?
Yeah, that must be good security

Re:No URL bar (1)

MichaelSmith (789609) | about 2 years ago | (#41911809)

Safari does this now and I find it very frustrating.

Re:No URL bar (1)

Desler (1608317) | about 2 years ago | (#41911825)

Safari does what now?

Re:No URL bar (1)

MichaelSmith (789609) | about 2 years ago | (#41911899)

Shows web pages without a URL field. My wife has a macbook and she frequently asks me for help, like "what is this web page for" or something but without ther URL field it is hard to know how she got there.

Re:No URL bar (1)

Desler (1608317) | about 2 years ago | (#41911973)

So then just reenable it? It takes all of 2 seconds to do.

Re:No URL bar (1)

Pieroxy (222434) | about 2 years ago | (#41912755)

So you're complaining because Safari has an option to remove the address bar?

NEWSFLASH! Apple hides urls... (1)

Andy Prough (2730467) | about 2 years ago | (#41912885)

...from users! Spokesperson says "the walled garden is now complete". Story at 11.

Re:No URL bar (1)

ArcadeMan (2766669) | about 2 years ago | (#41912521)

View > Show Toolbar

Re:No URL bar (0)

Anonymous Coward | about 2 years ago | (#41911967)

Clearly using a stateless networking protocol is ideal for security.

An App For Every Website (3, Insightful)

Shinmera (2514940) | about 2 years ago | (#41911803)

So then I'd end up with about 100 "Apps" on my desktop, which all might or might not behave a bit differently, and every time I want to switch to another site, I have to switch the app? How would I follow links outside of the app? Would there still be a way to find websites/desktopapps? If so, what makes sure that those aren't malware?

Re:An App For Every Website (5, Insightful)

Anonymous Coward | about 2 years ago | (#41912097)

I think I'll just stick with "not being a fucking moron." Kept me pretty safe so far.

Re:An App For Every Website (5, Funny)

Nemyst (1383049) | about 2 years ago | (#41912129)

Someone would come up with another app that let you search through your other apps. They could call it... a search engine, maybe?

Then we'd rename those apps as "web pages", as they're pages networked together in a giant web.

Then someone else would think of making a single, unified app viewer, which would let you browse through multiple apps in an interlinked fashion. Browser could be a good name for that.

Dude, that sounds so revolutionary. Nobody would've thought of that before.

Re:An App For Every Website (2)

swanzilla (1458281) | about 2 years ago | (#41912379)

I can't wait until somebody posts a Computer World DesktopApp on Slashdot, which turns out to be 17 DesktopApps.

Re:An App For Every Website (1)

mcgrew (92797) | about 2 years ago | (#41912161)

So then I'd end up with about 100 "Apps" on my desktop

No, you woudn't need a different app for each site, only the ones that needed security, like your bank. This wouldn't affect going to slashdot or youtube or your local paper.

Re:An App For Every Website (1)

colman77 (689696) | about 2 years ago | (#41912173)

So then I'd end up with about 100 "Apps" on my desktop, which all might or might not behave a bit differently,

This is a solved problem... look at how mobile phones do it. It'd be 100x easier on a desktop, since there's more space. Chrome is already doing this -- just add a search box. Easier than typing in a full url, right?

and every time I want to switch to another site, I have to switch the app? How would I follow links outside of the app?

I think this is sort of the point -- people get notified when they're leaving the app. It's easy to follow links out of the app, because the platform for ALL apps is the web browser.

Would there still be a way to find websites/desktopapps? If so, what makes sure that those aren't malware?

Again, solved problem.

Re:An App For Every Website (1)

fotoguzzi (230256) | about 2 years ago | (#41912197)

I read 100 "Amps" on my desktop.' I was thinking of 100 Amps on my desktop computer after all of those apps were opened.

Nobody would ever hack that. (5, Insightful)

kwerle (39371) | about 2 years ago | (#41911829)

Yeah. Because nobody would ever hack/write a virus for the BofA DesktopApp that would collect login credentials, etc.

Re:Nobody would ever hack that. (1)

foma84 (2079302) | about 2 years ago | (#41911901)

Me thoughts exactly!
I don't even think it would be any easier to secure that mess instead of a single browser.
Not to mention you would STILL need some kind of browser for general purpose.

Re:Nobody would ever hack that. (0)

Anonymous Coward | about 2 years ago | (#41912055)

Not sure if someone has thought this through. I guess most programmers assume that their own program or app (or website "app") is the only one that the users would install. You now have 100+ apps coded by monkeys that have different programming skills that needed to be secured instead of 2-3 web browsers to worry about and 100+ privacy concerns on them phoning home. The only saving grace is that the lawyers now can do class action against the banks that commissioned these apps.

To the hackers, it is like a gift to filter out the important keystrokes for banks just targeting that.

infected desktop app (1)

Anonymous Coward | about 2 years ago | (#41911855)

How would I know my desktop app is not infected? At least my browser may show an incorrect URL.

Re:infected desktop app (1)

garaged (579941) | about 2 years ago | (#41911889)

You currently dont know if the web page is sending any provided data to a third party or if it is using a zero day to install somethin on your OS

Re:infected desktop app (2)

darkHanzz (2579493) | about 2 years ago | (#41912037)

The same holds for these apps. Same difference.

Arent we already doing this (0)

Anonymous Coward | about 2 years ago | (#41911873)

In the majority of the applications we have been writing a releasing we adopt the model described. We write a "rich" client that is basically a special "non-browser" browser speaking over HTTP to an application server using REST or SOAP based on the needs of the customer. The tech doesnt matter, we've built the same type of app using Java (front and back end), C++/QT on the front java servlets on the back (looking at tufao for a complete Qt), and most recently Node.JS on the back.

Re:Arent we already doing this (0)

Anonymous Coward | about 2 years ago | (#41912041)

Except he's suggesting that these apps actually render a webpage, instead of storing the static parts of the content locally. This is actually what I hate about the mobile app for my bank, it's really just a nerfed browser that points to a mobile site. It's even worse on mobile because where I am, 3G sucks, and I'd rather it only send me the data I need, and not all the pretty pictures as well.

I've Been Immune For Over 10 Years (0)

Anonymous Coward | about 2 years ago | (#41911883)

I've been running a client-side firewall called Atguard that is a general solution for pretty much exactly what the poster suggests. It only allows javascript on sites that I explicitely allow it on. You can run it so that by default, web sites are locked down to be essentially display-only. It also alerts me to any outbound connection attempts and allows me to block/allow connections and ports on a per-application basis. Unfortunately, I can't find newer versions of it anywhere and the company that made it no longer exists. It's the best network add-on I've ever used, so why something else with equivalent functionality hasn't appeared to take its place is beyond me.

Re:I've Been Immune For Over 10 Years (0)

Anonymous Coward | about 2 years ago | (#41912929)

I've been running a client-side firewall called Atguard that is a general solution for pretty much exactly what the poster suggests. It only allows javascript on sites that I explicitely allow it on. You can run it so that by default, web sites are locked down to be essentially display-only. It also alerts me to any outbound connection attempts and allows me to block/allow connections and ports on a per-application basis. Unfortunately, I can't find newer versions of it anywhere and the company that made it no longer exists. It's the best network add-on I've ever used, so why something else with equivalent functionality hasn't appeared to take its place is beyond me.

The NoScript Firefox extension does what you need for scripts run by websites. Various "personal firewall" programs such as Zone Alarm block outgoing ports and alert you to connection attempts.

Re:I've Been Immune For Over 10 Years (0)

Anonymous Coward | about 2 years ago | (#41913083)

NoScript is amazing. It's more than just a JavaScript blocker, trust me.

There are already tools that do this (1)

The MAZZTer (911996) | about 2 years ago | (#41911887)

They are not widely used. Chrome and Firefox have tools to do this. Chrome's is hidden in the Tools menu and no one uses it. Firefox's is a separate application or an add-on. Again, it never caught on.

Also, now for every new website that launches I have to download software and run it on my computer? Yes, that definitely sounds safer.

What happens to cross-site links? Are you just going to block them to keep the user contained? This will make for a poor UX.

We could just go back to Web 1.0 (2, Insightful)

istartedi (132515) | about 2 years ago | (#41911919)

Most of what we want on the web is text and static images. Tables are nice. Maybe you need a handful of tags. Let the browser handle layout. That would be much easier to secure than the dynamic fustercluck we have now. There are probably more APIs than there were tags in 1999. There are probably hundreds of functions in your browser that expose security flaws. We could dump all of them and they wouldn't be missed.

Slashdot needs a handful of tags and good old CGI. That's all.

Sounds nice but... (1)

Anonymous Coward | about 2 years ago | (#41911921)

This sounds great in theory, but I don't want to install my bank's software. Not only is it likely to create security holes (banks aren't famous for the software development skills), but I wouldn't trust them not to abuse the privilege and mine my personal data.

Re:Sounds nice but... (1)

vlm (69642) | about 2 years ago | (#41912107)

The largest security hole is likely to be the legendary ability for apps not to get updated on a timely basis. So they'll be a new buffer overflow in the cookie cutter app for my credit union and it'll take them 6 months of consultant contracting and testing and security approval and certification and SSL keysigning and roll out plans and maint windows to get it pushed. Meanwhile I'm getting owned for half a year. Oh well, I'm just a user, and they have procedures to follow. Meanwhile the "old fashioned" "insecure" "legacy" Chrome users had it patched in chrome hours after the exploit was discovered and have been safe for half a year.

Friends don't let friends use apps!

Decentralization has costs and benefits (3, Insightful)

Loopy (41728) | about 2 years ago | (#41911927)

Frankly, I'll take the current internet with all its warts and diseases over some centralized, walled-garden approach that will STILL suffer from the same things, just in a different mechanic. The bottom line is how you decide what to trust in any system.

I'd submit that the problem isn't that the internet is the Wild Wild West, it's that it is the Wild Wild West without any sheriffs or cowboys. No, I'm not talking about regulation of the internet; I'm talking about people who break laws (fraud, theft, etc.) being found and prosecuted regardless of what tool (postal system, telephones or internet) they used to do it.

Re:Decentralization has costs and benefits (0)

Anonymous Coward | about 2 years ago | (#41912043)

The big problem is people demanding NEW! SHINY! features without considering the consequences. There aren't many ways to exploit a system with plain HTML, for example, unless your browser has a really braindead parser. Throw in Javascript, Flash, etc, and you just opened up a billion new unexpected holes.

Re:Decentralization has costs and benefits (0)

Anonymous Coward | about 2 years ago | (#41912301)

You can have a hybrid approach of centralized and decentralized systems. For the most part no-one should want to reach into a banking website and pull out an URL. Nor should any part of the bank website reach outside and pull out an URL. A bank can have a garden to itself but there's currently no way to grant it that garden with current software (e.g. a highly customized and restricted browser).

Apps are temporary gardens. The modern app store has become a surrogate DNS. The next step is that the criminals will move to the app stores - they're already starting to do that. It's not the Wild West, it's evolution playing out in the cloud - predators and prey.

Re:Decentralization has costs and benefits (0)

Anonymous Coward | about 2 years ago | (#41912591)

Frankly, I'll take the current internet with all its warts and diseases over some centralized, walled-garden approach that will STILL suffer from the same things, just in a different mechanic. The bottom line is how you decide what to trust in any system.

Agreed.

I'd submit that the problem isn't that the internet is the Wild Wild West, it's that it is the Wild Wild West without any sheriffs or cowboys. No, I'm not talking about regulation of the internet; I'm talking about people who break laws (fraud, theft, etc.) being found and prosecuted regardless of what tool (postal system, telephones or internet) they used to do it.

How do you propose that they be prosecuted? In certain places an IP address has been ruled by the courts to not be enough to identify a person. http://yro.slashdot.org/story/12/05/03/2135201/ny-judge-rules-ip-addresses-insufficient-to-identify-pirates Although this is still being contested, http://yro.slashdot.org/story/12/10/09/2348256/judge-orders-piracy-trial-to-test-ip-address-evidence

Another problem is the ease of creating a new "online" identity. (Most places just verify an email address.) If the crook gets away and changes their ID, how do you tie them to an older crime if they have no evidence on them? (I.e they used dd, dban, used am encrypted VM and then deleted it, etc.) It's far too easy to get away an online crime provided you do it right. Of course not all criminals have the same skills as the others, so some WILL get caught, but for the others what do you do?

Do you demand that all people online must be identifiable (ala, Blizzard's Real ID?) That would not be good for free speech activists, or people in oppressive countries. Do you say well too bad for you?

Do you demand that all systems online must be "secured" to prevent crime? If so how do you propose we do this? Use a TPM, demand that all internet capable devices run the same os and applications? That would not sit well with the OSS crowd. Not to mention give some one a HUGE monopoly in the OS market. (Regardless of what os is chosen. Also which os would you choose and how would you choose it?)

Do you demand that we all switch to cloud computing, and have our accounts constantly scanned for "illegal" material? That would be a massive invasion of privacy.

Do you demand harsher penalties for computer / internet based crime? If so what do you propose the punishments should be? Keep in mind that the UN declared internet freedom a basic human right. http://yro.slashdot.org/story/12/07/06/194256/un-declares-internet-freedom-a-basic-right

I'm not trying to say that the current system is perfect. It has it's flaws sure. The very fact that it was originally designed to be a network of connected universities and military systems sending text to each other, and now it's open to the public doing all kinds of things that the designers never thought of (Banking, videos, shopping), is more than enough to say it needs improvement.

Personally I would have the original internet split in two. One secure internet (Requires ID, only used for things where it would be required. Shopping, Banking, Governmental.) and an unsecure internet. (No ID required, used for things like Youtube, Facebook, Online Gaming, etc.) This also has it's flaws, (Such as certain businesses desiring to use the "Secure Internet" for Targeted advertising, Game companies using the "Secure Internet" to enforce DRM, Other companies using the "Insecure Internet" to conduct illegal business, etc.) but I think this could work as people could be safe while doing things that need protection. While also allowing for the anonymity that certain tasks online necessitate or prefer.

Note: I'm not trying to discredit you, I'm honestly asking what do you propose that we do? I think eventually that this discussion must be done as the current state of things is rather messed up.

It's called NoScript. (1)

Anonymous Coward | about 2 years ago | (#41911945)

Solved!

Whats the point? (0)

Anonymous Coward | about 2 years ago | (#41911993)

I'm assuming you don't mean to run code written by my bank on my computer. That would lead to some pretty cool spyware in your apps. You must mean It would be some kind of mini, limited to one site web browser?
You can also just make your firewall drop all connections to sites besides Bank of America and Facebook, but whats the fun in that?

How 'bout no. (0)

Anonymous Coward | about 2 years ago | (#41912003)

How 'bout no.

Yeah. Sounds F***ing Awful (3, Interesting)

presidenteloco (659168) | about 2 years ago | (#41912063)

I want the wild wild web, where the deer and the antelope roam, and the skies are (not cloudy) all day, not some locked-down police-state prison-cell silo-world of commercial money-sucking, mind-***king apps.

Safe and Secure? What Nebulous Terms (1)

casings (257363) | about 2 years ago | (#41912011)

What is safe and secure? I don't think anyone will agree on the complete definition of this. The government will have its definition. The MPAA/RIAA will have their own definition. I as a hacker have my definition. I prefer the way the internet is, because I can make it as safe or as unsafe as I choose. I don't need anyone else to define those terms for me.

Brilliant! (4, Insightful)

SavSoul (669561) | about 2 years ago | (#41912017)

Did he just re-invent client-server desktop apps?

Re:Brilliant! (3, Funny)

jmauro (32523) | about 2 years ago | (#41912047)

Yes.

But for Security! Instead of you know, what ever reason we used them before then got rid of them the first time around.

I'm not even going to bother... (4, Insightful)

YodasEvilTwin (2014446) | about 2 years ago | (#41912035)

outlining why, everyone else is covering it pretty well, but this is an incredibly awful idea. And its originator is an idiot as is he who decided this was worthy of posting to /.

It needs a name. (0)

Anonymous Coward | about 2 years ago | (#41912071)

I suggest we call it Web 2.0.

Second rate software (0)

Anonymous Coward | about 2 years ago | (#41912085)

Making an "app" for every website would guarantee a slew of low-quality apps full of security holes. Isn't the current security model better than security by fragmentation?

We call these domains (1)

holophrastic (221104) | about 2 years ago | (#41912095)

Wouldn't it just be easier to have your browser only access URLs matching the domain that you're on? You know, since that's what I want? I mean, we'd be blocking 90% of the tracking systems out there. But on the plus side, we'd be saving me 90% of the blocking that I'm currently doing anyway.

Alternatively, we can notice something quite obvious. It's fine the way it is. We're never going to have a world where everybody's safe from everything. I'm ok with being at risk of my computer breaking. That's just perfectly fine. Let criminals focus their efforts in that direction. It's way better than train robberies.

Incidentally, you guys do know that we drive on highways at up to 150 kph with the only thing separating us from on-coming traffic being a narrow strip of yellow paint -- and often it's dashed. And we assume that there isn't any horrible debris on that same road. Really, malware doesn't concern me -- and every dollar I earn comes from my work at the computer.

Enjoy your day. Maybe you shouldn't eat at random restaurants either.

Re:We call these domains (1)

omnichad (1198475) | about 2 years ago | (#41912369)

Wouldn't it just be easier to have your browser only access URLs matching the domain that you're on?

Isn't that up to the web developer? If the bank is providing the HTML, they can ensure that none of their pages are linking to resources outside their domain/subdomains. It's not like Cross-site request forgeries or cross-site scripting attacks are originating from Bank of America's web site.

Sandboxing the web site to only point to your own domain is sort of like just making sure your code is good in the first place.

Re:We call these domains (1)

holophrastic (221104) | about 2 years ago | (#41912783)

sure they do. google-hosted javascript libraries, off-site analytics, affiliate links, news feeds. we're also not talking about banks, which have real legal consequences. we're talking about companies who really couldn't care less -- like slashdot. if I post a link here, and make it look like a link to my blog as an example of what I'm saying, but it actually links to a piece of malware, slashdot probably couldn't care less. So, will you click this link [mrblog.com] ?

Re:We call these domains (1)

omnichad (1198475) | about 2 years ago | (#41912987)

Sure - I feel safe clicking the link. Slashdot shows the domain of the link as mrblog.com. The reverse lookup of the ip address at mrblog.com tells me it's Godaddy's parking servers (parkwebwin-v01.prod.mesa1.secureserver.net)

Re:We call these domains (1)

holophrastic (221104) | about 2 years ago | (#41913117)

that's some mighty fine detective work for a domain that I made up. I won't ask what would have happened if I'd made up one hosted by someone you didn't know, instead of godaddy. I won't ask because I don't need to.

The page that you did load -- from godaddy -- had your browser download shit from http://ak3.imgaft.com/ [imgaft.com] and was tracked by as.casalemedia.com -- an advertising company -- hope you're happy. You loaded a random javascript file from casalemedia. I wonder what was in it? I wonder what I did.

That's a lie, I don't wonder. I know casale now knows about you, your activity on mrblog, everything godaddy knew about you before, which includes everything that godaddy knows about anything you ever did on any site they host -- which is a greate many -- and that casale uses this information to sell more ads.

Congrats; my stupid link here just allowed three companies to make a profit on your argument. Hope you got something out of it. Maybe a lesson?

suggestion (1)

ozduo (2043408) | about 2 years ago | (#41912131)

Stand up, walk away from your keyboard and walk down the street to the bank building. It is fun interacting with real people for a change, and walking is a fantastic method of removing that pizza gut!

Re:suggestion (1)

omnichad (1198475) | about 2 years ago | (#41912389)

Ha, I do all my deposits and withdrawals from the ATM just inside the front door of my bank, mostly during banking hours. No, dealing with people is not worth the extra effort.

WTF??? (1)

Anonymous Coward | about 2 years ago | (#41912149)

Wow. That is a really stupid idea.

Re:WTF??? (0)

Anonymous Coward | about 2 years ago | (#41912359)

your a really stupid idea!!!!

Re:WTF??? (1)

Anonymous Coward | about 2 years ago | (#41912455)

Your an AC, Im an AC... Why start flaming me? You do know that on one is ever going to read this.

Re:WTF??? (0)

Anonymous Coward | about 2 years ago | (#41912875)

your a really stupid idea!!!!

Relax, Mr. Grossman. You'll feel all better when you take your meds.

We need to learn to clean shit up... (0)

Anonymous Coward | about 2 years ago | (#41912215)

The real problem with security right now is that no-one does an attack surface audit. Literally all these websites out there have their servers installed with an all-manner of crap and garbage that they don't need and each one probably has way more ports open than they should need to. People don't clean shit up - that's the real problem. We don't uninstall software, and sometimes even when we do it's not 'really' uninstalled any more than just taking it off the start menu. We see the same thing in Android land - how many times have you updated a piece of software to see it wants new privileges? Now tell me, how many times have you seen an app say "nah, I don't need this privilege anymore, you can have it back"? Governments do the same thing with new laws. Software does this when you don't refactor it - right up to the point the codebase falls apart because it's been contorted in so many directions and never cleaned up.

Humans are just astonishingly bad when it comes to fixing problems that aren't problems (yet). Sometimes the reason for not doing it is that they don't want unintended side-effects from removing things. This means *they don't know what they are doing*.

We need more people that know what they are doing.

AOL anyone? (1)

guano79 (2740675) | about 2 years ago | (#41912219)

This kind of stuff reminds me of the times of AOL and Compuserve, when everybody used an 'App' and this was all replaces by a.... WEB BROWSER!!! And remember, a browser is not only for the Web, it can understand other protocols other than http or https, like ftp, so it's really about flexibility of the oh! magical thing called a URL :)

Who is this guy shrilling for? (1)

nzac (1822298) | about 2 years ago | (#41912225)

Or does he just want publicity?
This is an extreme solution to something that is not really a current a problem and it has issues of its own.

The two main consequences of Desktop apps to me is you have to get them installed keep and keep them updated everywhere (and according to him you can't trust a browser download) and these apps will be OS specific.

Someone would make a lot of money somewhere getting this enforced and it would require creating an appstore/repo for every platform where you could get these from. This seems like a great chance to make parts of the web specific to a OS.

What you could do without breaking anything is have a site broadcast in the header that they want private sandbox from the rest of your running web-pages and only allow the browser to send and receive data to the provided site. It would break advertising but that’s necessary to be secure anyway.

Maybe not so stupid of an idea? (1)

vlm (69642) | about 2 years ago | (#41912237)

I've been LOL about this idea, but Maybe, just Maybe... what if they had a thundering herd of VNC servers in da cloud and the "website" is just a VNC client?

No need for legacy HTML shit simulating a client server app in the most complicated byzantine and slow means possible... Have a couple traditional client server apps for different resolutions, like my full size high res desktop and another VNC server for my tiny little phone. Each VNC server is a cloud image, created when I connect and vaporized when I disconnect for "security".

Basically your "website" is an icon running your off the shelf VNC viewer and a hard coded hostname. Thats all.

Its not that horrible of an idea, in that case. Now using HTTP as the transport instead of VNC would be pretty dumb, but VNC as a transport? Hmm maybe.

Irrelevant. (1)

Seumas (6865) | about 2 years ago | (#41912319)

In a supposedly post-PC world where the desktop is dead and every "website" is just a fucking application behind a little square icon, does it even fucking matter, anymore?

LUL. Please do this. I want to lick your tears. (0)

Anonymous Coward | about 2 years ago | (#41912463)

Let me get this straight -- you're going to write and maintain a custom fucking browser. Probably purchased COTS and running on just one or two platforms you aren't even competent to do webdev for.

You're going to lock this down and secure it correctly. You're going to maintain its own CA store and correctly sign its certificate. You're going to handle distribution and udpates correctly, and mostly inside this application.

You're going to do this in a manner where I can't just open up wireshark and look at the IP or domain you connect to and watch the TCP handshake going on and trace the HTTP connections.

You're going to do this with a browser where I can't just set a global environment variable or system setting to configure a proxy handler. And you're going to support the users using this browser that do require a proxy with custom builds of the application or in-application settings.

And when your developers test this website with your custom fairy-princess-sparkling-pony wand browser, they're actually going to be competent enough to also test it with chrome or firefox where I *can* type in the URL, and *can* edit the forms up however I want?

Look...with respect to the actual article..yeah, browser's load too much. I block a lot of them and get grief -- I don't get scripts, I don't get most tracking cookies, tracking images, analytics, iframes... They won't send third party cookies, and sometimes my browser accepts them and immediately rewrites them with random content--particularly if it sees anything that looks like a checksum or uuid.

But you aren't going to fix the web with apps-as-browser -- you'll just make it less secure because most devs aren't even good enough to test outside of their expected environment. Which is why I still see raw forms I can post anything to with nothing but clientside validation going on.

This idea is fucked before it's even written. The only conceivable benefit is client-side-browser diversity, and even that isn't actually worth it given the risks that come with it.

The net is unsafe (1)

Pf0tzenpfritz (1402005) | about 2 years ago | (#41912517)

The net is unsafe because it's full of idiots. That's why the rest of us needs to become complete morons, too. And use "apps" with just one button. Because two buttons are not stupid enough! Two buttons are smarter than one! So one button is not so smart!! Great plan! So logical. I am with you. Now, where's that #*'&%! button, again?

Is he dumb or just trolling for ad clicks? (0)

Anonymous Coward | about 2 years ago | (#41912523)

I cannot imagine how this would work in any sane sense. The proposed idea would basically result in one application per website. This would mean in the run of the day I'd have to open dozens of application which would have to, somehow, be linked together. That makes zero sense and it doesn't deal with the issue. The problem is we have a few insecure applications (web browsers) and the solution isn't to create thousands of new applications. We need to do a better job of securing our existing browsers, not create thousands of new ones.

Firefox Prism replacement (1)

Anonymous Coward | about 2 years ago | (#41912549)

Firefox used to have the functionality of making a website into an app via the Prism project. That project has now been discontinued, but you can do the same thing with:
firefox.exe -P BankUser -no-remote https://mybank.com

This lets you create a dedicated user for a site, with its own options and data. Turn off all of the toolbars in the view menu, and, while you're not restricted from going to other sites with this browser, you have less temptation to do so. Each account also remembers the window position, so you can have, e.g. a tiny window for time.gov/widget.html.

Completely misses the point. (3, Interesting)

Vellmont (569020) | about 2 years ago | (#41912555)

The idea is just completely tangential to what the problem is. The problem isn't that "If we just had a secure little app that could ONLY go to my Bank, everything would be OK". The problem is that the internet is a series of interconnected sites, many of which you discover without even realizing what the site is, compounded by the fact that browsers aren't secure. We all know once the machine is infected from visiting a compromised site, all bets are off.

Drive bys happen because the browser isn't secure, not because people are supposed to have some inherent understanding of what sites are "good" and what sites are "bad". I've worked security in multiple different capacities, and even I can't tell you if a site is going to be "safe" or not. That's because a lot of drivebys are from the 3rd party adware server getting infected. Despite what some totally uninformed IT professionals will tell you, you can't protect yourself by just "knowing where not to click" or "knowing not to click on the fake anti-virus thing". Sadly, I know IT professionals that absolutely SWEAR that this is how people get malware, despite me repeatedly providing them examples of how that's just not that case.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?