Tip

Scaling back Web browser security expectations

When Web browsers first emerged as front-end interfaces to Web-based applications, it was in an era where application-layer attacks were few and far between. Today, the browser

    Requires Free Membership to View

has become one of the most critical and most used pieces of software on everyone's computer. Consequently, it has become the focus of attack.

Despite the best efforts of the computer security industry, the number of flaws continues to grow; new ones have already been found in Microsoft Internet Explorer 7, and Firefox is coming under increasing scrutiny by industry experts and attackers. Browser vendors are faced with the impossible task of writing flawless code while hackers only have to spot one error in order to find an attack vector. The emergence of the "exploits-as-a-service" business, where malware is sold to organized crime, has helped to increase the cries for better Web browsers and Web browser security.

For more on Web browser security

Should you be using Internet Explorer? Mike Cobb explains the security risks of alternative browsers.

Find out how IE 7's browser security features compare to those of Firefox 2.0.

Senior News Writer Bill Brenner asks Mozilla Corp.'s security chief Window Snyder, "Who patches better: Microsoft or Mozilla?"
 

So how would the ideal browser differ from what we have today? Microsoft has certainly eased its software repair process via automatically installed Internet updates, and the introduction of a software "sandbox" will help limit damage even if a malicious program is able to subvert the operation of IE 7. But what more is required?

Web browser security is an ongoing issue because a browser cannot distinguish between malicious and non-malicious content. The critical question is, at what point should the browser defer to the user's decision to allow particular content, versus blocking it regardless? With current browsers, the initial settings make many security decisions automatically on behalf of the user. However, we all know how annoying it is when Outlook, for example, decides for us which attachments we can and cannot open. At the other extreme, it is very disconcerting when a desktop firewall asks for your decision on every incoming probe or request. There are so many, productivity collapses and click fatigue sets in.

I feel that browsers will never be able to successfully make all of our security decisions for us. Some form of behavior analysis may make the decision-handling and alerts less rigid, but the secure development lifecycle process will never be perfect; there will always be some coding flaws that don't get spotted. Part of the battle against attacks must be fought by users improving their understanding and ability to manage their online risks. New and future browsers will have advanced anti-phishing features, but they will never be able to protect against every social engineering based attack.

Perhaps we need to change our perception of the Internet and accept that there is an element of risk when we use it, since it's unlikely that browsers will ever be able to make all our security decisions for us or protect us from every danger, known and unknown.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security
 

This was first published in April 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.