Conference Coverage

Browse Sections
This content is part of the Conference Coverage: RSA Conference 2015 special coverage: News, analysis and video
News Stay informed about the latest enterprise technology news and product updates.

Why Web browser security is a goldmine for attackers

SAN FRANCISCO -- Web browsers from all vendors are under constant attack and a large part of that has to do with the use of third-party software. Browsers using Java and Silverlight specifically are often targeted, but Robert "RSnake" Hansen, vice president of WhiteHat Labs at WhiteHat Security, says it's not always the fault of the browser, but the third-party software.

"[The browser vendors] don't really have a firm knowledge of all the bad things that could happen because they didn't write the code, and because it updates on its own. But worse, even if they did have good knowledge of it, [the browser vendors] don't control it, so even if they know there's a vulnerability there, they can't do anything about it."

In this interview recorded at the 2015 RSA Conference, RSnake talks to Eric Parizo about general Web browser security practices and the frequency of attacks through websites.

"The Web is so ubiquitous," RSnake says. "It's so easy, it's so pervasive, it's so dynamic; and firewalls basically say 'come on in.' I think it makes a lot of sense that [the Web] would be the way [attackers] come in."

As for the problematic Java, Silverlight and Flash, RSnake is hesitant about whether full-blown eradication from the Web is really a solution.

"It's possible. I don't think it [will] happen anytime in the near future. … There are still a lot of applications that still rely on the legacy things."

RSnake also bleakly addressed the Menlo Security report that says a third of the top websites are either compromised or running vulnerable software.

"Unfortunately I think that's just being really optimistic. I think 100% of [top websites] are running vulnerable software, they just don't know it. Or the vulnerabilities haven't been announced yet, or haven't been found yet or whatever. I know that sounds really bad, but the Internet was not built with security in mind."

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you think the eradication of Java and Silverlight would be a viable solution to Web browser security risks?
In a word, no.  Its not just those to things, its plugins, its compromised sites, its people reusing credentials on multiple sites.
Lest I forget to mention Flash.....and plugins on websites themselves.
Not at all. If you get rid of one, they will always find another method. It seems they keep finding new ways almost on a monthly basis. We patch something and they exploit another. We all know Flash is a problem, so why do we keep using it? IF we stopped support, how many sites would fail and have to be redesigned or written in HTML5 for a work around. Another plugin that was dropped was the Unity player plug-in (i think it was Google) now you have to use another browser or stop using the application.