The Web Won't Be Safe Or Secure Until We Break It 180
CowboyRobot writes "Jeremiah Grossman of Whitehat Security has an article at the ACM in which he outlines the current state of browser security, specifically drive-by downloads. 'These attacks are primarily written with HTML, CSS, and JavaScript, so they are not identifiable as malware by antivirus software in the classic sense. They take advantage of the flawed way in which the Internet was designed to work.' Grossman's proposed solution is to make the desktop browser more like its mobile cousins. 'By adopting a similar application model on the desktop using custom-configured Web browsers (let's call them DesktopApps), we could address the Internet's inherent security flaws. These DesktopApps could be branded appropriately and designed to launch automatically to Bank of America's or Facebook's Web site, for example, and go no further. Like their mobile application cousins, these DesktopApps would not present an URL bar or anything else making them look like the Web browsers they are on the surface, and of course they would be isolated from one another.'"
Broke it (Score:5, Funny)
Re:Broke it (Score:4, Insightful)
(Each of them with their own bugs.)
Yeah. That's an improvement. Sure.
Re: (Score:2)
Re: (Score:2)
https://encrypted.google.com/404 [google.com]
Now it's doubly safe!
Re: (Score:2)
Uh... (Score:5, Informative)
(let's call them DesktopApps)
Let's not.
Re:Uh... (Score:5, Informative)
So they're... apps. People have been calling them apps long before the mobile market started calling them apps.
Re:Uh... (Score:4, Insightful)
No. They've been calling them "computer programs" and "applications". They became "apps" thanks to the mobile market.
That's not to say *no one ever* called them "apps" before, but the widespread usage of the term is entirely due to the mobile market.
Re: (Score:2)
Everything is an abbreviation to Computer geeks. Calling them apps has always been common.
The original MacApp [wikipedia.org] was a framework for building apps on the Mac. Web Applications have been WebApps since the 90's.
Re:Uh... (Score:5, Funny)
frogs and no mod points... (Score:2)
Too bad, I had five points yesterday, and now I know I *spoiled* them :-D
Re: (Score:3, Funny)
Maybe we should mix "computer program" and "app" to form a new word. I suggest we call these things Crap.
RISC OS widespread enough for you? (Score:2)
Re: (Score:2)
That's not to say *no one ever* called them "apps" before, but the widespread usage of the term is entirely due to the mobile market.
Okay, so if you are actually older than 14, just how long did you spend under that rock? 30 years or thereabouts? Geez.
Re: (Score:2)
Nonononono - it needs WAY more CamelCase and much more CloudAjax.
I propose they should be called:
TiledInterfaceCloudAjaxCamelCaseDesktopAppsPod
because it really gets to the substance of why these are truly beyond the 'tipping point' of being a disruptive game changer in the big data cloud revolution
Re: (Score:3)
Nonononono - it needs WAY more CamelCase and much more CloudAjax.
I propose they should be called:
TiledInterfaceCloudAjaxCamelCaseDesktopAppsPod
because it really gets to the substance of why these are truly beyond the 'tipping point' of being a disruptive game changer in the big data cloud revolution
Tsk tsk you didn't use the phrase "paradigm shift".
Re: (Score:2)
Re:Uh... (Score:5, Informative)
That's not what he (TFA guy) means by it. He means that rather than typing mybank.com into your URL bar or going to a browser bookmark, the bank has a dedicated program that isn't a browser that resides on your computer that connects to your bank and nowhere else. I might even bank online if they had something like this.
Re:Uh... (Score:5, Insightful)
Re:Uh... (Score:5, Insightful)
You forgot they'll only certify it for certain OS and if detected on the wrong one it'll refuse to work and pop up a "please upgrade" message.
And it'll demand you downgrade new platforms. So your vista laptop can't log into your bank.. pop up claims you need to "upgrade" to XP or more likely 98.
"This page best viewed 640x480x8... here, since I'm a poorly written app now with system access instead of being a poorly written webpage, let me reconfigure your video card to be BankOptimized(tm)(c)"
Re: (Score:2)
They had that years ago. Let me see... Oh, yes! It was called ActiveX.
I seem to remember it worked exactly in the fashion you describe.
Re: (Score:2)
Maybe we'd see the emergence of more cross platform tools. All I can think of now is RealBasic which can compile (nearly) the same code into Windows, Mac and Linux.
Re:Uh... (Score:4, Informative)
Re: (Score:2)
lazarus and gambas? and perl+tk at a lower level? (Score:2)
I've been playing with all three a little lately. There's a fair amount of cross-platform capability there, with fairly capable html browser classes available.
Not to mention, libre.
Re: (Score:2)
Re: (Score:2)
Given the quality of your average bank website, I seriously doubt the quality of any application they would write. Plus it would be Windows only of course and barely maintained...
It would be Javascript. That still doesn't make it right.
Re: (Score:2)
Yeah but with a dedicated application, any bugs that involved my personal details getting stolen are now at fault to the bank and who wrote the App. If its a bug in my browser they can just claim I didn't take care of my own machine and pretend it never happened.
Its because of this, that this will never happen.
Re: (Score:2)
Why? It would absolutely be less secure than the bank's own approach. You really think an individual can be trusted to keep things secure better than a large company? Just because the hackers are better than the banks doesn't mean that any user can do anything worth a damn to compare as far as security does.
Meanwhile, if you're worried about your bank security, then stick with cash.
Re:Uh... (Score:4, Informative)
Which is something that people could do for a very long time with stuff like firefox.
Hell, in the last years (don't recall when exactly) firefox even made it a "framework", prism or what it is called, so you can create stand alone applications out of websites. You can even set rules about where the browser can go!
Am I missing something?
Re: (Score:3)
Yes... firefox is really rooted into your system, registry read writes, lso's, appData, it doesn't need ANY of this to run, well maybe... appData, but I'd argue they should just use Sync (which is pretty cool btw). When I can sandbox a browser and have it run without breaking, the point of tfa will be achieved, but I've run firefox portable before, and performance leaves something to be desired, also I'm not sure how much of a footprint it leaves on your system.
Also the author of the article doesn't have a
iCab did this on macs 20 years ago... (Score:2)
and still does it btw, they managed to survive all this time ;-)
iCab, the most unknown browser in the whole universe -but they invented ad-filtering, 10 years before Mozilla was even born.
I think what's important indeed now is the behavior of tablet browsers.
I've seen an interesting discussion on SimpleBrowser, again a very minor one (on Blackberry Playbook, mind you!) that definitely turned around this thematics...
Re: (Score:2)
You explained it much better than the summary. So more like Netflix's app.
Actually, I'd be happy to give this a shot. The majority of web apps I've used are just horrible. My credit union just redid their online bill pay, and it's clunky as hell, all to make it look like an application and not a basic web form you fill in and submit, the latter having worked perfectly fine for the past seven years. So now it's (sort of) shiny, and takes four times as long to pay the bills.
Re: (Score:3)
Speaking of terrible websites Netflix is a great example. You have to mousehover to get a link to click on to see any useful information about a film.
When it was less shiny you could click on the film name for that. Today it tries to stream.
Re:Uh... (Score:5, Interesting)
So basically he's proposing that instead of using a carefully insulated browser, we install code on our computers provided by banks that will never be updated, and will be full of unpatched bugs. And this will make our machines more secure. Are we sure this guy is a white hat?
Re: (Score:2)
This is why security professionals have the rep that they do... and why all our base belong to the Chinese hackers. And yes I agree, his idea is regressive.
Re: (Score:2)
Situation: Oh, two Bank of America apps on my desktop. Hmmm. Which one is the legit app? Oh well, one way to find out! (How long until malware gets installed on computers imitating those apps?)
(More or less echoes the first thing that went through my head as soon as I read the summary.)
Re: (Score:2)
Why not have it be a shortcut (in Windows), or a list of command line options (in UNIX)? For example:
$browser --onlythisdomain mybank.com --lockstuffdown
The --onlythisdomain option would only allow anything in https://.mybank.com/* [mybank.com] to be viewed. The --lockstuffdown option would disable everything else, bookmarks, browser extensions, the URL bar, and anything else that a user might confuse or mess up. The window would have a special border around it, etc. Once this browser instance is closed, it purges a
Re: (Score:2)
So something more akin to a telnet session?
LOL
"vlm@nonofyourbusiness:~$ tn5250 legacy_as400.big-bank.com"
I'm sure they'll be places using c3270 too!
Re: (Score:3)
Except that telnet is unencrypted...
Re:Uh... (Score:5, Insightful)
woo hoo one app per website thats just what we need. This is why MS came with the tiles...
...but who watches the Watchmen? (Score:3)
Re: (Score:2)
They already exist, they are called Site-Specific Browsers.
SELinux Containers can do this (Score:4, Interesting)
Re: (Score:2)
What I'd like to see is a cooperation between the Web browser, desktop UI, and OS. This would allow sites to make "trusted links" which use functionality similar to containers, or even complete virtual machines to ensure that the data is site-only, and is encapsulated.
For example, some mechanism puts a shortcut on the user's desktop that points to the Web browser. This is handled by the desktop UI in making sure when the icon is clicked that the OS and Web browser get fed the correct options.
Then, when th
Chroot is your friend. (Score:2)
Or you could stick Firefox in a chroot and use HTTPS Everywhere. [eff.org] And y'know, NoScript and Adblock Plus and Ghostery -- but I presume you're using those already. SSL certs aren't necessarily handled by the browser anyway, but I think what you want there is the also-extant OCSP. [wikipedia.org] Or if you wanted to extend the chroot concept to your entire OS, you can have that too. [qubes-os.org]
Why do you need desktop links again? I'm having a failure of imagination as to how that might actually improve anything.
bee-tee-dub, you should kee
Re: (Score:2)
It's called a hosts file actually.
Re: (Score:2)
Idiot! You know what happens when you mention host f----%NO_CARRIER%
Re: (Score:2)
No URL bar (Score:3, Insightful)
So we would have no clue as to where we were taken?
Yeah, that must be good security
Re: (Score:2)
Safari does this now and I find it very frustrating.
Re: (Score:1)
Safari does what now?
Re: (Score:2)
Shows web pages without a URL field. My wife has a macbook and she frequently asks me for help, like "what is this web page for" or something but without ther URL field it is hard to know how she got there.
Re: (Score:1)
So then just reenable it? It takes all of 2 seconds to do.
Re: (Score:2)
So you're complaining because Safari has an option to remove the address bar?
NEWSFLASH! Apple hides urls... (Score:2)
An App For Every Website (Score:3, Insightful)
Re:An App For Every Website (Score:5, Insightful)
I think I'll just stick with "not being a fucking moron." Kept me pretty safe so far.
Re:An App For Every Website (Score:5, Funny)
Someone would come up with another app that let you search through your other apps. They could call it... a search engine, maybe?
Then we'd rename those apps as "web pages", as they're pages networked together in a giant web.
Then someone else would think of making a single, unified app viewer, which would let you browse through multiple apps in an interlinked fashion. Browser could be a good name for that.
Dude, that sounds so revolutionary. Nobody would've thought of that before.
Re: (Score:3)
Re: (Score:2)
So then I'd end up with about 100 "Apps" on my desktop
No, you woudn't need a different app for each site, only the ones that needed security, like your bank. This wouldn't affect going to slashdot or youtube or your local paper.
Re: (Score:2)
Re: (Score:3)
Not only that, it sounds like there would no longer be a general "browser".
Want a presence on the Internet? You gotta code your own app now, and have people download it to see your site.
Other than that, you have to use one of the corporate world's pre-approved places (like a page on a social-networking site).
The Internet is now a series of "channel" in effect at this point, just like cable TV, almost all controlled by companies. ...and I bet none of those web apps will spy on their users once installed on t
Nobody would ever hack that. (Score:5, Insightful)
Yeah. Because nobody would ever hack/write a virus for the BofA DesktopApp that would collect login credentials, etc.
Re: (Score:1)
I don't even think it would be any easier to secure that mess instead of a single browser.
Not to mention you would STILL need some kind of browser for general purpose.
infected desktop app (Score:1)
How would I know my desktop app is not infected? At least my browser may show an incorrect URL.
Re: (Score:2)
You currently dont know if the web page is sending any provided data to a third party or if it is using a zero day to install somethin on your OS
Re: (Score:2)
Re: (Score:2)
NO difference
There are already tools that do this (Score:2)
They are not widely used. Chrome and Firefox have tools to do this. Chrome's is hidden in the Tools menu and no one uses it. Firefox's is a separate application or an add-on. Again, it never caught on.
Also, now for every new website that launches I have to download software and run it on my computer? Yes, that definitely sounds safer.
What happens to cross-site links? Are you just going to block them to keep the user contained? This will make for a poor UX.
We could just go back to Web 1.0 (Score:3, Insightful)
Most of what we want on the web is text and static images. Tables are nice. Maybe you need a handful of tags. Let the browser handle layout. That would be much easier to secure than the dynamic fustercluck we have now. There are probably more APIs than there were tags in 1999. There are probably hundreds of functions in your browser that expose security flaws. We could dump all of them and they wouldn't be missed.
Slashdot needs a handful of tags and good old CGI. That's all.
Tar Pits (Score:2)
When talking about the expansion of web technologies, it is important that CSS3 is Turing-complete. [github.com]
Which provokes the question of why we didn't just settle on a Turing-complete language or graphics library to begin with.
Ultimately, I don't think that web browsers are the security problem they're described as. Modern browsers have auto-update, rapid release schedules, and bug bounty programs. Most of them are also open-source to some degree. [wikipedia.org] Adobe software could not be expunged from this Earth too quickly, b
Sounds nice but... (Score:1)
This sounds great in theory, but I don't want to install my bank's software. Not only is it likely to create security holes (banks aren't famous for the software development skills), but I wouldn't trust them not to abuse the privilege and mine my personal data.
Re: (Score:2)
The largest security hole is likely to be the legendary ability for apps not to get updated on a timely basis. So they'll be a new buffer overflow in the cookie cutter app for my credit union and it'll take them 6 months of consultant contracting and testing and security approval and certification and SSL keysigning and roll out plans and maint windows to get it pushed. Meanwhile I'm getting owned for half a year. Oh well, I'm just a user, and they have procedures to follow. Meanwhile the "old fashioned
Decentralization has costs and benefits (Score:4, Insightful)
Frankly, I'll take the current internet with all its warts and diseases over some centralized, walled-garden approach that will STILL suffer from the same things, just in a different mechanic. The bottom line is how you decide what to trust in any system.
I'd submit that the problem isn't that the internet is the Wild Wild West, it's that it is the Wild Wild West without any sheriffs or cowboys. No, I'm not talking about regulation of the internet; I'm talking about people who break laws (fraud, theft, etc.) being found and prosecuted regardless of what tool (postal system, telephones or internet) they used to do it.
It's called NoScript. (Score:1)
Solved!
Safe and Secure? What Nebulous Terms (Score:2)
What is safe and secure? I don't think anyone will agree on the complete definition of this. The government will have its definition. The MPAA/RIAA will have their own definition. I as a hacker have my definition. I prefer the way the internet is, because I can make it as safe or as unsafe as I choose. I don't need anyone else to define those terms for me.
Brilliant! (Score:4, Insightful)
Re:Brilliant! (Score:4, Funny)
Yes.
But for Security! Instead of you know, what ever reason we used them before then got rid of them the first time around.
Re: (Score:2)
So you're right. His proposed solution, to replace a general-purpose browser UX with a bunch of dedicated clients, is what everyone else in the room recognizes as good old client/server. This is such a familiar design pattern that w
Comment removed (Score:5, Insightful)
We call these domains (Score:2)
Wouldn't it just be easier to have your browser only access URLs matching the domain that you're on? You know, since that's what I want? I mean, we'd be blocking 90% of the tracking systems out there. But on the plus side, we'd be saving me 90% of the blocking that I'm currently doing anyway.
Alternatively, we can notice something quite obvious. It's fine the way it is. We're never going to have a world where everybody's safe from everything. I'm ok with being at risk of my computer breaking. That's j
Re: (Score:2)
Isn't that up to the web developer? If the bank is providing the HTML, they can ensure that none of their pages are linking to resources outside their domain/subdomains. It's not like Cross-site request forgeries or cross-site scripting attacks are originating from Bank of America's web site.
Sandboxing the web site to only point to your own domain is sort of like just making sure your code is good in the fi
Re: (Score:2)
Re: (Score:2)
Sure - I feel safe clicking the link. Slashdot shows the domain of the link as mrblog.com. The reverse lookup of the ip address at mrblog.com tells me it's Godaddy's parking servers (parkwebwin-v01.prod.mesa1.secureserver.net)
Re: (Score:2)
that's some mighty fine detective work for a domain that I made up. I won't ask what would have happened if I'd made up one hosted by someone you didn't know, instead of godaddy. I won't ask because I don't need to.
The page that you did load -- from godaddy -- had your browser download shit from http://ak3.imgaft.com/ [imgaft.com] and was tracked by as.casalemedia.com -- an advertising company -- hope you're happy. You loaded a random javascript file from casalemedia. I wonder what was in it? I wonder what I did.
That
Re: (Score:2)
First off, if you investigate reverse dns, run noscript, and disable cookies, then you've already taken precautions. Your point was that it should be up to the web developers -- but you're already defying them. Choose a side.
and you ip address, with the time of day, can be cross-corelated in enough ways to identify you. And since your newspaper site, your shopping site, and your work/school network may all use similarly third-party code, the moment you give up anything to anybody, everybody else knows it
Who is this guy shrilling for? (Score:2)
Or does he just want publicity?
This is an extreme solution to something that is not really a current a problem and it has issues of its own.
The two main consequences of Desktop apps to me is you have to get them installed keep and keep them updated everywhere (and according to him you can't trust a browser download) and these apps will be OS specific.
Someone would make a lot of money somewhere getting this enforced and it would require creating an appstore/repo for every platform where you could get these f
Maybe not so stupid of an idea? (Score:2)
I've been LOL about this idea, but Maybe, just Maybe... what if they had a thundering herd of VNC servers in da cloud and the "website" is just a VNC client?
No need for legacy HTML shit simulating a client server app in the most complicated byzantine and slow means possible... Have a couple traditional client server apps for different resolutions, like my full size high res desktop and another VNC server for my tiny little phone. Each VNC server is a cloud image, created when I connect and vaporized when
The net is unsafe (Score:2)
Completely misses the point. (Score:4, Interesting)
The idea is just completely tangential to what the problem is. The problem isn't that "If we just had a secure little app that could ONLY go to my Bank, everything would be OK". The problem is that the internet is a series of interconnected sites, many of which you discover without even realizing what the site is, compounded by the fact that browsers aren't secure. We all know once the machine is infected from visiting a compromised site, all bets are off.
Drive bys happen because the browser isn't secure, not because people are supposed to have some inherent understanding of what sites are "good" and what sites are "bad". I've worked security in multiple different capacities, and even I can't tell you if a site is going to be "safe" or not. That's because a lot of drivebys are from the 3rd party adware server getting infected. Despite what some totally uninformed IT professionals will tell you, you can't protect yourself by just "knowing where not to click" or "knowing not to click on the fake anti-virus thing". Sadly, I know IT professionals that absolutely SWEAR that this is how people get malware, despite me repeatedly providing them examples of how that's just not that case.
Re: (Score:2)
To be fair to those "professionals", user initiated actions are the problem they see the most. I used quotes because knowing one thing does not prevent extension of that knowledge by other things.
I don't know about you... (Score:2)
...but my mobile phone browser has a URL bar. I use it, too.
Slavery is freedom (Score:2)
So this is yet another stooge calling for destruction of multi-purpose user-empowering system that is modern desktop in favor of single-purpose user-disempowering single application per single task model?
The unsaid main advantage is of course that stranglehold on the user granted by this model makes user a much better product to monetize.
Wierd idea (Score:2)
So this guy proposes to improve security by replacing web sites with executable applications on the user's machine? What's wrong with this picture?
The author argues that disallowing clicks on transparent objects would break too much. It would break some minor functions on a few pages at Google and Facebook, and Yahoo if anybody still cares. They can fix that; it's bad coding, not something that they needed to do. It would break thousands of annoying popups. Win. If the pixel clicked isn't at least 25%
The web won't be safe or secure (Score:2)
what he REALLY means (Score:2)
Qubes? (Score:2)
Yeah. Sounds F***ing Awful (Score:4, Interesting)
I want the wild wild web, where the deer and the antelope roam, and the skies are (not cloudy) all day, not some locked-down police-state prison-cell silo-world of commercial money-sucking, mind-***king apps.
Re: (Score:2)
Ha, I do all my deposits and withdrawals from the ATM just inside the front door of my bank, mostly during banking hours. No, dealing with people is not worth the extra effort.