Scaling back Web browser security expectations

Despite the best efforts of the computer security industry, the number of flaws continues to grow; new ones have already been found in Microsoft Internet Explorer 7, and Firefox is coming under increasing scrutiny by industry experts and attackers. Browser vendors are faced with the impossible task of writing flawless code while hackers only have to spot one error in order to find an attack vector. The emergence of the "exploits-as-a-service" business, where malware is sold to organized crime, has helped to increase the cries for better Web browsers and Web browser security.

For more on Web browser security Should you be using Internet Explorer? Mike Cobb explains the security risks of alternative browsers. Find out how IE 7's browser security features compare to those of Firefox 2.0. Senior News Writer Bill Brenner asks Mozilla Corp.'s security chief Window Snyder, "Who patches better: Microsoft or Mozilla?"

So how would the ideal browser differ from what we have today? Microsoft has certainly eased its software repair process via automatically installed Internet updates, and the introduction of a software "sandbox" will help limit damage even if a malicious program is able to subvert the operation of IE 7. But what more is required?

Web browser security is an ongoing issue because a browser cannot distinguish between malicious and non-malicious content. The critical question is, at what point should the browser defer to the user's decision to allow particular content, versus blocking it regardless? With current browsers, the initial settings make many security decisions automatically on behalf of the user. However, we all know how annoying it is when Outlook, for example, decides for us which attachments we can and cannot open. At the other extreme, it is very disconcerting when a desktop firewall asks for your decision on every incoming probe or request. There are so many, productivity collapses and click fatigue sets in.

I feel that browsers will never be able to successfully make all of our security decisions for us. Some form of behavior analysis may make the decision-handling and alerts less rigid, but the secure development lifecycle process will never be perfect; there will always be some coding flaws that don't get spotted. Part of the battle against attacks must be fought by users improving their understanding and ability to manage their online risks. New and future browsers will have advanced anti-phishing features, but they will never be able to protect against every social engineering based attack.

Perhaps we need to change our perception of the Internet and accept that there is an element of risk when we use it, since it's unlikely that browsers will ever be able to make all our security decisions for us or protect us from every danger, known and unknown.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities Internet Explorer Security Microsoft addresses XSS in Internet Explorer Internet Explorer open to spoofing, scripting attacks Shrewd attackers bypass old security defenses with Web attacks Inside MSRC: Microsoft outlines Internet Explorer flaws Install Microsoft Office and IE patches first, experts say IE patch glitch sends admins in search of workarounds Microsoft security update causes IE meltdown Security fixes on tap for Windows, IE, DirectX Will Web browsers ever be fully equipped to detect and remove malware? Preparing for uniform resource identifier (URI) exploits Firefox Security and Mozilla Security Shrewd attackers bypass old security defenses with Web attacks Firefox 3 security looks promising, testers say Mozilla plugs Firefox flaws Mozilla to rush update for Firefox bugs Will Web browsers ever be fully equipped to detect and remove malware? Mozilla fixes multiple Firefox flaws Preparing for uniform resource identifier (URI) exploits Mozilla closes QuickTime attack vector in Firefox Firefox security issues persist despite update Mozilla to extend security in major Firefox update Firefox Security and Mozilla Security Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) NCSA  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.