When Web browsers first emerged as front-end interfaces to Web-based applications, it was in an era where application-layer attacks were few and far between. Today, the browser
Despite the best efforts of the computer security industry, the number of flaws continues to grow; new ones have already been found in Microsoft Internet Explorer 7, and Firefox is coming under increasing scrutiny by industry experts and attackers. Browser vendors are faced with the impossible task of writing flawless code while hackers only have to spot one error in order to find an attack vector. The emergence of the "exploits-as-a-service" business, where malware is sold to organized crime, has helped to increase the cries for better Web browsers and Web browser security.
So how would the ideal browser differ from what we have today? Microsoft has certainly eased its software repair process via automatically installed Internet updates, and the introduction of a software "sandbox" will help limit damage even if a malicious program is able to subvert the operation of IE 7. But what more is required?
Web browser security is an ongoing issue because a browser cannot distinguish between malicious and non-malicious content. The critical question is, at what point should the browser defer to the user's decision to allow particular content, versus blocking it regardless? With current browsers, the initial settings make many security decisions automatically on behalf of the user. However, we all know how annoying it is when Outlook, for example, decides for us which attachments we can and cannot open. At the other extreme, it is very disconcerting when a desktop firewall asks for your decision on every incoming probe or request. There are so many, productivity collapses and click fatigue sets in.
I feel that browsers will never be able to successfully make all of our security decisions for us. Some form of behavior analysis may make the decision-handling and alerts less rigid, but the secure development lifecycle process will never be perfect; there will always be some coding flaws that don't get spotted. Part of the battle against attacks must be fought by users improving their understanding and ability to manage their online risks. New and future browsers will have advanced anti-phishing features, but they will never be able to protect against every social engineering based attack.
Perhaps we need to change our perception of the Internet and accept that there is an element of risk when we use it, since it's unlikely that browsers will ever be able to make all our security decisions for us or protect us from every danger, known and unknown.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in April 2007