Feeds

Firefox developers tinker with new security protections (finally)

Protecting users from net's weaker security links

Protecting against web application threats using SSL

Developers of the Firefox browser are designing new technologies aimed at protecting users from some of the nastiest and most prevalent forms of website attacks.

One protection is designed to minimize end users' risk to cross-site scripting (XSS) attacks and cross-site request forgeries (CSRFs), both of which subvert basic internet security by exploiting the often misplaced web of trust that exists between two or more different sites. The protection would allow developers of one site to explicitly define which domains are allowed to initiate or answer cross-site requests for code, cookies and other site resources.

"These policies will describe which scripts in a page should be treated as valid and how web content should be permitted to initiate cross-site requests," Brandon Sterne, a member of Mozilla's security group, wrote in an email. Sterne recently described his work to security professions at Yahoo.

The idea is to enable websites to define security policies that the browser enforces. That will protect users from vulnerable sites and prevent sites from receiving forged requests. Site developers could indicate an explicit set of domains that should be treated as valid sources of javascript, so that code embedded in sites that aren't specifically white-listed would not be executed.

The other protection would erect a wall in front of private resources on a company's intranet to prevent them from being accessed by web content from public sites. Private resources would still be permitted to make requests to public resources.

It is designed to guard against so-called DNS rebinding attacks like the one researcher Dan Kaminsky demonstrated last month, which used plain-vanilla internet specifications to take control of routers and other devices barricaded behind firewalls. Rather than creating a Trojan or other piece of specialized malware to access servers or other devices behind a firewall, such attacks use the nearly unlimited access of web traffic to do much the same thing.

The project is still in its infancy, but it is nonetheless an important step forward. When you consider the unending series of successful attacks that exploit the domain name system and rest of the net's weaker links in the security chain, it's easy to grumble that Mozilla, Microsoft and the rest of the browser developers don't do enough to insulate their users from the inherent risks of browsing the web.

"From a security professional's point of view, it's big," said Jeremiah Grossman, CTO of web application security firm WhiteHat Security. "There are a lot of big website operators that would like to have a browser with this feature to recommend to their users."

For now, some of these protections are being implemented as a Firefox extension that will serve as a proof of concept. Sterne says implementation details are "still very much in flux", and he can't say "if and when thee features will be available in Firefox".

But if all goes well, they could blossom into open specifications that website developers could use to enforce policies across any participating browser. Not that we're holding our breath, but that doesn't mean we aren't hopeful. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.