Feeds

Firefox developers tinker with new security protections (finally)

Protecting users from net's weaker security links

Beginner's guide to SSL certificates

Developers of the Firefox browser are designing new technologies aimed at protecting users from some of the nastiest and most prevalent forms of website attacks.

One protection is designed to minimize end users' risk to cross-site scripting (XSS) attacks and cross-site request forgeries (CSRFs), both of which subvert basic internet security by exploiting the often misplaced web of trust that exists between two or more different sites. The protection would allow developers of one site to explicitly define which domains are allowed to initiate or answer cross-site requests for code, cookies and other site resources.

"These policies will describe which scripts in a page should be treated as valid and how web content should be permitted to initiate cross-site requests," Brandon Sterne, a member of Mozilla's security group, wrote in an email. Sterne recently described his work to security professions at Yahoo.

The idea is to enable websites to define security policies that the browser enforces. That will protect users from vulnerable sites and prevent sites from receiving forged requests. Site developers could indicate an explicit set of domains that should be treated as valid sources of javascript, so that code embedded in sites that aren't specifically white-listed would not be executed.

The other protection would erect a wall in front of private resources on a company's intranet to prevent them from being accessed by web content from public sites. Private resources would still be permitted to make requests to public resources.

It is designed to guard against so-called DNS rebinding attacks like the one researcher Dan Kaminsky demonstrated last month, which used plain-vanilla internet specifications to take control of routers and other devices barricaded behind firewalls. Rather than creating a Trojan or other piece of specialized malware to access servers or other devices behind a firewall, such attacks use the nearly unlimited access of web traffic to do much the same thing.

The project is still in its infancy, but it is nonetheless an important step forward. When you consider the unending series of successful attacks that exploit the domain name system and rest of the net's weaker links in the security chain, it's easy to grumble that Mozilla, Microsoft and the rest of the browser developers don't do enough to insulate their users from the inherent risks of browsing the web.

"From a security professional's point of view, it's big," said Jeremiah Grossman, CTO of web application security firm WhiteHat Security. "There are a lot of big website operators that would like to have a browser with this feature to recommend to their users."

For now, some of these protections are being implemented as a Firefox extension that will serve as a proof of concept. Sterne says implementation details are "still very much in flux", and he can't say "if and when thee features will be available in Firefox".

But if all goes well, they could blossom into open specifications that website developers could use to enforce policies across any participating browser. Not that we're holding our breath, but that doesn't mean we aren't hopeful. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.