Web browsers face crisis of security confidence
Good enough for Donald Rumsfeld. But not for you
The crisis of confidence begs the question: Just how did things get this bad, anyway?
'You go to war with the army you have'
In late 2004, then US Secretary of Defense Donald Rumsfeld faced growing criticism for his decision to send US soldiers into combat with Humvees that were ill-equipped to withstand blasts from roadside bombs. When confronted by a soldier in Kuwait who complained that a shortage of armor forced him and his comrades to root through junkyards for scraps, Rumsfeld replied:
"You go to war with the Army you have, not the Army you might want or wish to have."
His point - that in the real world, professionals often have to make do with an imperfect situation created by forces out of everyone's control - couldn't be more applicable to the hard-working men and women at the helm of today's internet.
The Arpanet's underpinnings may have been built to withstand a nuclear blast, but they were never designed to competently perform even basic tasks such as authenticating an email sender as a particular person. The arcane RFCs that it soon spawned relied on the most primitive of methods to deliver text and graphics that left users fairly uninspired once they got over the novelty that the net's reach was virtually ubiquitous and instantaneous. Add to that a domain name system that enables an array of attacks and it's obvious the internet was never designed with security in mind.
It was in this highly flawed world that Netscape Communications, eBay and the rest of the net pioneers found themselves racing to build billion-dollar businesses that required complex webs of trust. Suddenly, technologies that had no grounding in security were being used to handle all kinds of sensitive information. Cookies were being used to authenticate users on banking websites, flimsy Ajax scripts held the keys to executive's calendar entries and email messages and an overabundance of buggy ActiveX programs was relied on to fill the considerable gaps left by websites that did little more than deliver static text and pictures.
The situation grew especially dire starting in the late 1990s, as Microsoft, in a series of steps later adjudged to be illegal, snuffed the life out of Netscape's Navigator browser. A lack of genetic diversity and Microsoft's then deep-seated inattention to security resulted in the years to follow being a particularly dark period for web security. Parasites like Nimda, Slammer, Code Red and Blaster wreaked havoc on businesses big and small and firmly cemented the net's reputation as a Darwinian place where the weak get preyed upon.
"We're asking a lot of a piece of software to take code anywhere on the internet and execute it on a user's machine and not interfere with the machine," says Mozilla's security chief Window Snyder. "People want to browse the web. They want to have these rich Web 2.0 experiences. It's a lot safer now than it used to be."
The safest browser?
Mozilla is fond of calling Firefox "the safest web browser." Given Microsoft's checkered past, and the speed with which Mozilla patches reported security flaws, that's probably true. But it's worth noting that for all Mozilla's preening the open-source organization has yet to release a browser that runs in so-called protected mode. The idea is to isolate the browser from the rest of the operating system to minimize errors that could otherwise allow attackers to hijack the machine running the program. Because exploits such as buffer overflows are relegated to a virtual sandbox, they remain dormant because they never get the opportunity to make changes to the OS at large.
Firefox's New malware protection
Internet Explorer 8 running on the Windows Vista operating system, by contrast, does offer this rather sensible piece of protection. Snyder said Mozilla considered adding the feature to the recent release but ultimately decided against it.
"It's a pretty significant change," she said. "It just didn't fit into Firefox 3." She said Mozilla may fold the feature into an upcoming version.
Read on to learn about the scourge of the ActiveX shrew
Sponsored: Global DDoS threat landscape report