Feeds

Web browsers face crisis of security confidence

Good enough for Donald Rumsfeld. But not for you

SANS - Survey on application security programs

The crisis of confidence begs the question: Just how did things get this bad, anyway?

'You go to war with the army you have'

In late 2004, then US Secretary of Defense Donald Rumsfeld faced growing criticism for his decision to send US soldiers into combat with Humvees that were ill-equipped to withstand blasts from roadside bombs. When confronted by a soldier in Kuwait who complained that a shortage of armor forced him and his comrades to root through junkyards for scraps, Rumsfeld replied:

"You go to war with the Army you have, not the Army you might want or wish to have."

His point - that in the real world, professionals often have to make do with an imperfect situation created by forces out of everyone's control - couldn't be more applicable to the hard-working men and women at the helm of today's internet.

The Arpanet's underpinnings may have been built to withstand a nuclear blast, but they were never designed to competently perform even basic tasks such as authenticating an email sender as a particular person. The arcane RFCs that it soon spawned relied on the most primitive of methods to deliver text and graphics that left users fairly uninspired once they got over the novelty that the net's reach was virtually ubiquitous and instantaneous. Add to that a domain name system that enables an array of attacks and it's obvious the internet was never designed with security in mind.

It was in this highly flawed world that Netscape Communications, eBay and the rest of the net pioneers found themselves racing to build billion-dollar businesses that required complex webs of trust. Suddenly, technologies that had no grounding in security were being used to handle all kinds of sensitive information. Cookies were being used to authenticate users on banking websites, flimsy Ajax scripts held the keys to executive's calendar entries and email messages and an overabundance of buggy ActiveX programs was relied on to fill the considerable gaps left by websites that did little more than deliver static text and pictures.

The situation grew especially dire starting in the late 1990s, as Microsoft, in a series of steps later adjudged to be illegal, snuffed the life out of Netscape's Navigator browser. A lack of genetic diversity and Microsoft's then deep-seated inattention to security resulted in the years to follow being a particularly dark period for web security. Parasites like Nimda, Slammer, Code Red and Blaster wreaked havoc on businesses big and small and firmly cemented the net's reputation as a Darwinian place where the weak get preyed upon.

Things have thankfully improved since then. The rise of Firefox and Opera gave users a viable alternative to the IE hegemony, making it significantly harder for criminals to write a single piece of code that will work across wide swaths of the internet's user base. More importantly, the new browsers made it easy to control some of the net's more reckless technologies by steering clear of ActiveX, and fostering third-party extensions such as NoScript, which allows users to choose which sites get to run Java, JavaScript, Flash and iframes.

"We're asking a lot of a piece of software to take code anywhere on the internet and execute it on a user's machine and not interfere with the machine," says Mozilla's security chief Window Snyder. "People want to browse the web. They want to have these rich Web 2.0 experiences. It's a lot safer now than it used to be."

The safest browser?

Mozilla is fond of calling Firefox "the safest web browser." Given Microsoft's checkered past, and the speed with which Mozilla patches reported security flaws, that's probably true. But it's worth noting that for all Mozilla's preening the open-source organization has yet to release a browser that runs in so-called protected mode. The idea is to isolate the browser from the rest of the operating system to minimize errors that could otherwise allow attackers to hijack the machine running the program. Because exploits such as buffer overflows are relegated to a virtual sandbox, they remain dormant because they never get the opportunity to make changes to the OS at large.

Screenshot of Firefox browser displaying malware protection warning

Firefox's New malware protection

Internet Explorer 8 running on the Windows Vista operating system, by contrast, does offer this rather sensible piece of protection. Snyder said Mozilla considered adding the feature to the recent release but ultimately decided against it.

"It's a pretty significant change," she said. "It just didn't fit into Firefox 3." She said Mozilla may fold the feature into an upcoming version.

Read on to learn about the scourge of the ActiveX shrew

High performance access to file storage

Next page: Cookie mishmash

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.