Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Internet IT

The Web Won't Be Safe Or Secure Until We Break It 180

CowboyRobot writes "Jeremiah Grossman of Whitehat Security has an article at the ACM in which he outlines the current state of browser security, specifically drive-by downloads. 'These attacks are primarily written with HTML, CSS, and JavaScript, so they are not identifiable as malware by antivirus software in the classic sense. They take advantage of the flawed way in which the Internet was designed to work.' Grossman's proposed solution is to make the desktop browser more like its mobile cousins. 'By adopting a similar application model on the desktop using custom-configured Web browsers (let's call them DesktopApps), we could address the Internet's inherent security flaws. These DesktopApps could be branded appropriately and designed to launch automatically to Bank of America's or Facebook's Web site, for example, and go no further. Like their mobile application cousins, these DesktopApps would not present an URL bar or anything else making them look like the Web browsers they are on the surface, and of course they would be isolated from one another.'"
This discussion has been archived. No new comments can be posted.

The Web Won't Be Safe Or Secure Until We Break It

Comments Filter:
  • Broke it (Score:5, Funny)

    by k28 ( 2593665 ) on Wednesday November 07, 2012 @03:59PM (#41911751)
    Broke it. Does that mean it's safe now? http://www.google.com/404 [google.com]
  • Uh... (Score:5, Informative)

    by Antipater ( 2053064 ) on Wednesday November 07, 2012 @04:02PM (#41911783)

    (let's call them DesktopApps)

    Let's not.

    • Re:Uh... (Score:5, Informative)

      by SJHillman ( 1966756 ) on Wednesday November 07, 2012 @04:03PM (#41911793)

      So they're... apps. People have been calling them apps long before the mobile market started calling them apps.

      • Re:Uh... (Score:4, Insightful)

        by Anonymous Coward on Wednesday November 07, 2012 @04:28PM (#41912065)

        No. They've been calling them "computer programs" and "applications". They became "apps" thanks to the mobile market.

        That's not to say *no one ever* called them "apps" before, but the widespread usage of the term is entirely due to the mobile market.

    • I call them "bookmarks." I've been using them for years.
      • Re:Uh... (Score:5, Informative)

        by mcgrew ( 92797 ) * on Wednesday November 07, 2012 @04:23PM (#41912007) Homepage Journal

        That's not what he (TFA guy) means by it. He means that rather than typing mybank.com into your URL bar or going to a browser bookmark, the bank has a dedicated program that isn't a browser that resides on your computer that connects to your bank and nowhere else. I might even bank online if they had something like this.

        • Re:Uh... (Score:5, Insightful)

          by jandrese ( 485 ) <kensama@vt.edu> on Wednesday November 07, 2012 @04:26PM (#41912029) Homepage Journal
          Given the quality of your average bank website, I seriously doubt the quality of any application they would write. Plus it would be Windows only of course and barely maintained. I don't see how this is a win over a website.
          • Re:Uh... (Score:5, Insightful)

            by vlm ( 69642 ) on Wednesday November 07, 2012 @04:39PM (#41912171)

            You forgot they'll only certify it for certain OS and if detected on the wrong one it'll refuse to work and pop up a "please upgrade" message.

            And it'll demand you downgrade new platforms. So your vista laptop can't log into your bank.. pop up claims you need to "upgrade" to XP or more likely 98.

            "This page best viewed 640x480x8... here, since I'm a poorly written app now with system access instead of being a poorly written webpage, let me reconfigure your video card to be BankOptimized(tm)(c)"

            • They had that years ago. Let me see... Oh, yes! It was called ActiveX.

              I seem to remember it worked exactly in the fashion you describe.

          • Maybe we'd see the emergence of more cross platform tools. All I can think of now is RealBasic which can compile (nearly) the same code into Windows, Mac and Linux.

          • by ZeroPly ( 881915 )
            Why does it have to be just Windows? Write it in a cross platform language like Java. The benefit then is that any modern browser can run the app.
          • Given the quality of your average bank website, I seriously doubt the quality of any application they would write. Plus it would be Windows only of course and barely maintained...

            It would be Javascript. That still doesn't make it right.

          • Yeah but with a dedicated application, any bugs that involved my personal details getting stolen are now at fault to the bank and who wrote the App. If its a bug in my browser they can just claim I didn't take care of my own machine and pretend it never happened.

            Its because of this, that this will never happen.

        • Why? It would absolutely be less secure than the bank's own approach. You really think an individual can be trusted to keep things secure better than a large company? Just because the hackers are better than the banks doesn't mean that any user can do anything worth a damn to compare as far as security does.

          Meanwhile, if you're worried about your bank security, then stick with cash.

        • Re:Uh... (Score:4, Informative)

          by justforgetme ( 1814588 ) on Wednesday November 07, 2012 @04:38PM (#41912159) Homepage

          Which is something that people could do for a very long time with stuff like firefox.
          Hell, in the last years (don't recall when exactly) firefox even made it a "framework", prism or what it is called, so you can create stand alone applications out of websites. You can even set rules about where the browser can go!

          Am I missing something?

          • Yes... firefox is really rooted into your system, registry read writes, lso's, appData, it doesn't need ANY of this to run, well maybe... appData, but I'd argue they should just use Sync (which is pretty cool btw). When I can sandbox a browser and have it run without breaking, the point of tfa will be achieved, but I've run firefox portable before, and performance leaves something to be desired, also I'm not sure how much of a footprint it leaves on your system.

            Also the author of the article doesn't have a

          • and still does it btw, they managed to survive all this time ;-)
            iCab, the most unknown browser in the whole universe -but they invented ad-filtering, 10 years before Mozilla was even born.

            I think what's important indeed now is the behavior of tablet browsers.
            I've seen an interesting discussion on SimpleBrowser, again a very minor one (on Blackberry Playbook, mind you!) that definitely turned around this thematics...

        • You explained it much better than the summary. So more like Netflix's app.

          Actually, I'd be happy to give this a shot. The majority of web apps I've used are just horrible. My credit union just redid their online bill pay, and it's clunky as hell, all to make it look like an application and not a basic web form you fill in and submit, the latter having worked perfectly fine for the past seven years. So now it's (sort of) shiny, and takes four times as long to pay the bills.

          • by h4rr4r ( 612664 )

            Speaking of terrible websites Netflix is a great example. You have to mousehover to get a link to click on to see any useful information about a film.

            When it was less shiny you could click on the film name for that. Today it tries to stream.

        • Re:Uh... (Score:5, Interesting)

          by mellon ( 7048 ) on Wednesday November 07, 2012 @04:49PM (#41912273) Homepage

          So basically he's proposing that instead of using a carefully insulated browser, we install code on our computers provided by banks that will never be updated, and will be full of unpatched bugs. And this will make our machines more secure. Are we sure this guy is a white hat?

          • This is why security professionals have the rep that they do... and why all our base belong to the Chinese hackers. And yes I agree, his idea is regressive.

        • by mlts ( 1038732 ) *

          Why not have it be a shortcut (in Windows), or a list of command line options (in UNIX)? For example:

          $browser --onlythisdomain mybank.com --lockstuffdown

          The --onlythisdomain option would only allow anything in https://.mybank.com/* [mybank.com] to be viewed. The --lockstuffdown option would disable everything else, bookmarks, browser extensions, the URL bar, and anything else that a user might confuse or mess up. The window would have a special border around it, etc. Once this browser instance is closed, it purges a

    • Re:Uh... (Score:5, Insightful)

      by zlives ( 2009072 ) on Wednesday November 07, 2012 @04:16PM (#41911917)

      woo hoo one app per website thats just what we need. This is why MS came with the tiles...

      • My thoughts exactly. So - my google search app wouldn't point me to web pages - instead it would point me to apps I could download and install for each different web page. So now I'm installing thousands of web apps? THAT sounds like a security nightmare! Who is going to watch over the security of the apps? Google? They are already having problems with the Android apps.
    • by Bogtha ( 906264 )

      They already exist, they are called Site-Specific Browsers.

      • by dutchwhizzman ( 817898 ) on Wednesday November 07, 2012 @05:00PM (#41912417)
        Dan Walsh, one of the principal developers of SELinux has blogged about a way to do this on your linux desktop box. You can start a "virgin" browser in it's own Xserver with optional presets you copy in the loopmounted container. Every time you run it, it starts the same fresh image built on the fly when you run the command. This makes it easy to have separate browsers for each task you want isolated from the rest of your web experience or your desktop computer. Even if it gets infected, it will not remain on your computer and the infection is gone as soon as you close the browser. He's not the only one that has written about it, there are many more people giving useful examples on the web.
        • by mlts ( 1038732 ) *

          What I'd like to see is a cooperation between the Web browser, desktop UI, and OS. This would allow sites to make "trusted links" which use functionality similar to containers, or even complete virtual machines to ensure that the data is site-only, and is encapsulated.

          For example, some mechanism puts a shortcut on the user's desktop that points to the Web browser. This is handled by the desktop UI in making sure when the icon is clicked that the OS and Web browser get fed the correct options.

          Then, when th

          • Or you could stick Firefox in a chroot and use HTTPS Everywhere. [eff.org] And y'know, NoScript and Adblock Plus and Ghostery -- but I presume you're using those already. SSL certs aren't necessarily handled by the browser anyway, but I think what you want there is the also-extant OCSP. [wikipedia.org] Or if you wanted to extend the chroot concept to your entire OS, you can have that too. [qubes-os.org]

            Why do you need desktop links again? I'm having a failure of imagination as to how that might actually improve anything.

            bee-tee-dub, you should kee

      • It's called a hosts file actually.

    • by cvtan ( 752695 )
      Lets call it a BBS.
  • No URL bar (Score:3, Insightful)

    by Anonymous Coward on Wednesday November 07, 2012 @04:02PM (#41911785)

    So we would have no clue as to where we were taken?
    Yeah, that must be good security

  • by Shinmera ( 2514940 ) on Wednesday November 07, 2012 @04:05PM (#41911803) Homepage
    So then I'd end up with about 100 "Apps" on my desktop, which all might or might not behave a bit differently, and every time I want to switch to another site, I have to switch the app? How would I follow links outside of the app? Would there still be a way to find websites/desktopapps? If so, what makes sure that those aren't malware?
    • by Anonymous Coward on Wednesday November 07, 2012 @04:31PM (#41912097)

      I think I'll just stick with "not being a fucking moron." Kept me pretty safe so far.

    • by Nemyst ( 1383049 ) on Wednesday November 07, 2012 @04:34PM (#41912129) Homepage

      Someone would come up with another app that let you search through your other apps. They could call it... a search engine, maybe?

      Then we'd rename those apps as "web pages", as they're pages networked together in a giant web.

      Then someone else would think of making a single, unified app viewer, which would let you browse through multiple apps in an interlinked fashion. Browser could be a good name for that.

      Dude, that sounds so revolutionary. Nobody would've thought of that before.

      • I can't wait until somebody posts a Computer World DesktopApp on Slashdot, which turns out to be 17 DesktopApps.
    • by mcgrew ( 92797 ) *

      So then I'd end up with about 100 "Apps" on my desktop

      No, you woudn't need a different app for each site, only the ones that needed security, like your bank. This wouldn't affect going to slashdot or youtube or your local paper.

    • I read 100 "Amps" on my desktop.' I was thinking of 100 Amps on my desktop computer after all of those apps were opened.
    • by SeaFox ( 739806 )

      Not only that, it sounds like there would no longer be a general "browser".
      Want a presence on the Internet? You gotta code your own app now, and have people download it to see your site.
      Other than that, you have to use one of the corporate world's pre-approved places (like a page on a social-networking site).

      The Internet is now a series of "channel" in effect at this point, just like cable TV, almost all controlled by companies. ...and I bet none of those web apps will spy on their users once installed on t

  • by kwerle ( 39371 ) <kurt@CircleW.org> on Wednesday November 07, 2012 @04:07PM (#41911829) Homepage Journal

    Yeah. Because nobody would ever hack/write a virus for the BofA DesktopApp that would collect login credentials, etc.

    • by foma84 ( 2079302 )
      Me thoughts exactly!
      I don't even think it would be any easier to secure that mess instead of a single browser.
      Not to mention you would STILL need some kind of browser for general purpose.
  • by Anonymous Coward

    How would I know my desktop app is not infected? At least my browser may show an incorrect URL.

  • They are not widely used. Chrome and Firefox have tools to do this. Chrome's is hidden in the Tools menu and no one uses it. Firefox's is a separate application or an add-on. Again, it never caught on.

    Also, now for every new website that launches I have to download software and run it on my computer? Yes, that definitely sounds safer.

    What happens to cross-site links? Are you just going to block them to keep the user contained? This will make for a poor UX.

  • by istartedi ( 132515 ) on Wednesday November 07, 2012 @04:16PM (#41911919) Journal

    Most of what we want on the web is text and static images. Tables are nice. Maybe you need a handful of tags. Let the browser handle layout. That would be much easier to secure than the dynamic fustercluck we have now. There are probably more APIs than there were tags in 1999. There are probably hundreds of functions in your browser that expose security flaws. We could dump all of them and they wouldn't be missed.

    Slashdot needs a handful of tags and good old CGI. That's all.

    • When talking about the expansion of web technologies, it is important that CSS3 is Turing-complete. [github.com]

      Which provokes the question of why we didn't just settle on a Turing-complete language or graphics library to begin with.

      Ultimately, I don't think that web browsers are the security problem they're described as. Modern browsers have auto-update, rapid release schedules, and bug bounty programs. Most of them are also open-source to some degree. [wikipedia.org] Adobe software could not be expunged from this Earth too quickly, b

  • by Anonymous Coward

    This sounds great in theory, but I don't want to install my bank's software. Not only is it likely to create security holes (banks aren't famous for the software development skills), but I wouldn't trust them not to abuse the privilege and mine my personal data.

    • by vlm ( 69642 )

      The largest security hole is likely to be the legendary ability for apps not to get updated on a timely basis. So they'll be a new buffer overflow in the cookie cutter app for my credit union and it'll take them 6 months of consultant contracting and testing and security approval and certification and SSL keysigning and roll out plans and maint windows to get it pushed. Meanwhile I'm getting owned for half a year. Oh well, I'm just a user, and they have procedures to follow. Meanwhile the "old fashioned

  • by Loopy ( 41728 ) on Wednesday November 07, 2012 @04:16PM (#41911927) Journal

    Frankly, I'll take the current internet with all its warts and diseases over some centralized, walled-garden approach that will STILL suffer from the same things, just in a different mechanic. The bottom line is how you decide what to trust in any system.

    I'd submit that the problem isn't that the internet is the Wild Wild West, it's that it is the Wild Wild West without any sheriffs or cowboys. No, I'm not talking about regulation of the internet; I'm talking about people who break laws (fraud, theft, etc.) being found and prosecuted regardless of what tool (postal system, telephones or internet) they used to do it.

  • by Anonymous Coward

    Solved!

  • What is safe and secure? I don't think anyone will agree on the complete definition of this. The government will have its definition. The MPAA/RIAA will have their own definition. I as a hacker have my definition. I prefer the way the internet is, because I can make it as safe or as unsafe as I choose. I don't need anyone else to define those terms for me.

  • Brilliant! (Score:4, Insightful)

    by SavSoul ( 669561 ) <savagesoul@gmail ... minus herbivore> on Wednesday November 07, 2012 @04:24PM (#41912017) Homepage Journal
    Did he just re-invent client-server desktop apps?
    • by jmauro ( 32523 ) on Wednesday November 07, 2012 @04:27PM (#41912047)

      Yes.

      But for Security! Instead of you know, what ever reason we used them before then got rid of them the first time around.

    • Um, yes. Grossman seems to insist on conflating the entire Internet with web browsers. A browser exploit is therefore prima facie proof that the Internet is defective by design. It's not surprising that he also conflates browser vulnerabilities with system vulnerabilities.

      So you're right. His proposed solution, to replace a general-purpose browser UX with a bunch of dedicated clients, is what everyone else in the room recognizes as good old client/server. This is such a familiar design pattern that w
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday November 07, 2012 @04:26PM (#41912035)
    Comment removed based on user account deletion
  • Wouldn't it just be easier to have your browser only access URLs matching the domain that you're on? You know, since that's what I want? I mean, we'd be blocking 90% of the tracking systems out there. But on the plus side, we'd be saving me 90% of the blocking that I'm currently doing anyway.

    Alternatively, we can notice something quite obvious. It's fine the way it is. We're never going to have a world where everybody's safe from everything. I'm ok with being at risk of my computer breaking. That's j

    • Wouldn't it just be easier to have your browser only access URLs matching the domain that you're on?

      Isn't that up to the web developer? If the bank is providing the HTML, they can ensure that none of their pages are linking to resources outside their domain/subdomains. It's not like Cross-site request forgeries or cross-site scripting attacks are originating from Bank of America's web site.

      Sandboxing the web site to only point to your own domain is sort of like just making sure your code is good in the fi

      • sure they do. google-hosted javascript libraries, off-site analytics, affiliate links, news feeds. we're also not talking about banks, which have real legal consequences. we're talking about companies who really couldn't care less -- like slashdot. if I post a link here, and make it look like a link to my blog as an example of what I'm saying, but it actually links to a piece of malware, slashdot probably couldn't care less. So, will you click this link [mrblog.com]?
        • Sure - I feel safe clicking the link. Slashdot shows the domain of the link as mrblog.com. The reverse lookup of the ip address at mrblog.com tells me it's Godaddy's parking servers (parkwebwin-v01.prod.mesa1.secureserver.net)

          • that's some mighty fine detective work for a domain that I made up. I won't ask what would have happened if I'd made up one hosted by someone you didn't know, instead of godaddy. I won't ask because I don't need to.

            The page that you did load -- from godaddy -- had your browser download shit from http://ak3.imgaft.com/ [imgaft.com] and was tracked by as.casalemedia.com -- an advertising company -- hope you're happy. You loaded a random javascript file from casalemedia. I wonder what was in it? I wonder what I did.

            That

  • Or does he just want publicity?
    This is an extreme solution to something that is not really a current a problem and it has issues of its own.

    The two main consequences of Desktop apps to me is you have to get them installed keep and keep them updated everywhere (and according to him you can't trust a browser download) and these apps will be OS specific.

    Someone would make a lot of money somewhere getting this enforced and it would require creating an appstore/repo for every platform where you could get these f

  • I've been LOL about this idea, but Maybe, just Maybe... what if they had a thundering herd of VNC servers in da cloud and the "website" is just a VNC client?

    No need for legacy HTML shit simulating a client server app in the most complicated byzantine and slow means possible... Have a couple traditional client server apps for different resolutions, like my full size high res desktop and another VNC server for my tiny little phone. Each VNC server is a cloud image, created when I connect and vaporized when

  • The net is unsafe because it's full of idiots. That's why the rest of us needs to become complete morons, too. And use "apps" with just one button. Because two buttons are not stupid enough! Two buttons are smarter than one! So one button is not so smart!! Great plan! So logical. I am with you. Now, where's that #*'&%! button, again?
  • by Vellmont ( 569020 ) on Wednesday November 07, 2012 @05:13PM (#41912555) Homepage

    The idea is just completely tangential to what the problem is. The problem isn't that "If we just had a secure little app that could ONLY go to my Bank, everything would be OK". The problem is that the internet is a series of interconnected sites, many of which you discover without even realizing what the site is, compounded by the fact that browsers aren't secure. We all know once the machine is infected from visiting a compromised site, all bets are off.

    Drive bys happen because the browser isn't secure, not because people are supposed to have some inherent understanding of what sites are "good" and what sites are "bad". I've worked security in multiple different capacities, and even I can't tell you if a site is going to be "safe" or not. That's because a lot of drivebys are from the 3rd party adware server getting infected. Despite what some totally uninformed IT professionals will tell you, you can't protect yourself by just "knowing where not to click" or "knowing not to click on the fake anti-virus thing". Sadly, I know IT professionals that absolutely SWEAR that this is how people get malware, despite me repeatedly providing them examples of how that's just not that case.

    • To be fair to those "professionals", user initiated actions are the problem they see the most. I used quotes because knowing one thing does not prevent extension of that knowledge by other things.

  • ...but my mobile phone browser has a URL bar. I use it, too.

  • So this is yet another stooge calling for destruction of multi-purpose user-empowering system that is modern desktop in favor of single-purpose user-disempowering single application per single task model?

    The unsaid main advantage is of course that stranglehold on the user granted by this model makes user a much better product to monetize.

  • So this guy proposes to improve security by replacing web sites with executable applications on the user's machine? What's wrong with this picture?

    The author argues that disallowing clicks on transparent objects would break too much. It would break some minor functions on a few pages at Google and Facebook, and Yahoo if anybody still cares. They can fix that; it's bad coding, not something that they needed to do. It would break thousands of annoying popups. Win. If the pixel clicked isn't at least 25%

  • There, I fixed that for you.
  • Web developers need a way to set custom security policies for there website and sandbox it. If the policies are not enforced(properly) then the website should not load.
  • Why not use something like Qubes [blogspot.de]: run each browser session inside its own throw-away, cleanly insulated VM?

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...