Feeds

Web browsers face crisis of security confidence

Good enough for Donald Rumsfeld. But not for you

Protecting against web application threats using SSL

The crisis of confidence begs the question: Just how did things get this bad, anyway?

'You go to war with the army you have'

In late 2004, then US Secretary of Defense Donald Rumsfeld faced growing criticism for his decision to send US soldiers into combat with Humvees that were ill-equipped to withstand blasts from roadside bombs. When confronted by a soldier in Kuwait who complained that a shortage of armor forced him and his comrades to root through junkyards for scraps, Rumsfeld replied:

"You go to war with the Army you have, not the Army you might want or wish to have."

His point - that in the real world, professionals often have to make do with an imperfect situation created by forces out of everyone's control - couldn't be more applicable to the hard-working men and women at the helm of today's internet.

The Arpanet's underpinnings may have been built to withstand a nuclear blast, but they were never designed to competently perform even basic tasks such as authenticating an email sender as a particular person. The arcane RFCs that it soon spawned relied on the most primitive of methods to deliver text and graphics that left users fairly uninspired once they got over the novelty that the net's reach was virtually ubiquitous and instantaneous. Add to that a domain name system that enables an array of attacks and it's obvious the internet was never designed with security in mind.

It was in this highly flawed world that Netscape Communications, eBay and the rest of the net pioneers found themselves racing to build billion-dollar businesses that required complex webs of trust. Suddenly, technologies that had no grounding in security were being used to handle all kinds of sensitive information. Cookies were being used to authenticate users on banking websites, flimsy Ajax scripts held the keys to executive's calendar entries and email messages and an overabundance of buggy ActiveX programs was relied on to fill the considerable gaps left by websites that did little more than deliver static text and pictures.

The situation grew especially dire starting in the late 1990s, as Microsoft, in a series of steps later adjudged to be illegal, snuffed the life out of Netscape's Navigator browser. A lack of genetic diversity and Microsoft's then deep-seated inattention to security resulted in the years to follow being a particularly dark period for web security. Parasites like Nimda, Slammer, Code Red and Blaster wreaked havoc on businesses big and small and firmly cemented the net's reputation as a Darwinian place where the weak get preyed upon.

Things have thankfully improved since then. The rise of Firefox and Opera gave users a viable alternative to the IE hegemony, making it significantly harder for criminals to write a single piece of code that will work across wide swaths of the internet's user base. More importantly, the new browsers made it easy to control some of the net's more reckless technologies by steering clear of ActiveX, and fostering third-party extensions such as NoScript, which allows users to choose which sites get to run Java, JavaScript, Flash and iframes.

"We're asking a lot of a piece of software to take code anywhere on the internet and execute it on a user's machine and not interfere with the machine," says Mozilla's security chief Window Snyder. "People want to browse the web. They want to have these rich Web 2.0 experiences. It's a lot safer now than it used to be."

The safest browser?

Mozilla is fond of calling Firefox "the safest web browser." Given Microsoft's checkered past, and the speed with which Mozilla patches reported security flaws, that's probably true. But it's worth noting that for all Mozilla's preening the open-source organization has yet to release a browser that runs in so-called protected mode. The idea is to isolate the browser from the rest of the operating system to minimize errors that could otherwise allow attackers to hijack the machine running the program. Because exploits such as buffer overflows are relegated to a virtual sandbox, they remain dormant because they never get the opportunity to make changes to the OS at large.

Screenshot of Firefox browser displaying malware protection warning

Firefox's New malware protection

Internet Explorer 8 running on the Windows Vista operating system, by contrast, does offer this rather sensible piece of protection. Snyder said Mozilla considered adding the feature to the recent release but ultimately decided against it.

"It's a pretty significant change," she said. "It just didn't fit into Firefox 3." She said Mozilla may fold the feature into an upcoming version.

Read on to learn about the scourge of the ActiveX shrew

Reducing the cost and complexity of web vulnerability management

Next page: Cookie mishmash

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.