jacking stuff in the browser. But, again,
all that work is separate from HTML5.
GN-N: What else concerns you about
JG: Are you familiar with the use
of session storage as an alternative
to cookies? Basically, some Web programmers are starting to put actual
storage in addition to data. That way,
when the page loads, they can just eval
that code directly rather than having to
make a network call, because that gets
them a performance win.
Of course, the bad guys find this attractive. If they cross-site script the site
that loaded that code, they’ll be able to
backdoor the application and thus enjoy permanent access to any client that
thing happens to get loaded onto, since
that backdoor code will always run.
GN-N: Stored procedures are a clever
idea on a database, but they are a terrifying idea in a client.
JG: Even once you become aware of
the exploit, backing out of it will be all
but impossible. You certainly wouldn’t
be able to override it from the server.
So while the HTML5 guys will say they
haven’t increased the attack surface, I
don’t think they actually know yet what
all the implications are going to be.
GN-N: This would really simplify the
distribution of something that looks
an awful lot like a virus.
JG: It really does, but that isn’t obvious yet since use of HTML5 in that
way still isn’t particularly widespread.
Give it a few years, though, and it will
be everywhere, because it really is a
GN-N: This tells me that the browser
vendors ought to include a feature that
lets you flush an application’s program
space—perhaps not from the server,
but the user ought to be able at least to
flush a bad application. And now I’m
suddenly picturing virus scanners that
run in your browser.
JG: Oh, yeah, that’s definitely going
to be the case.
BL: Even then, ensuring data integrity is not going to be easy. If you have
complex data structures, who’s to say
some of those haven’t been affected in
some subtle ways?
JG: I think what the browser vendors
have done—knowingly or unknowingly—is to turn the browser into a new
GN-N: Well, Chrome isn’t called
Google Chrome OS for nothing, you
JG: That’s right. Actually, within that
sandbox there’s not all that much security buffer between applications.
GN-N: We keep ripping on HTML5,
but is there anything people might be
able to do to provide for a better and
safer user experience?
JG: Well, let’s be clear: if you are using any modern browser, you are going
to end up using HTML5. There’s no
way to turn it off in your browser since
it’s not a feature. It’s HTML. You can’t
turn off HTML in the browser.
GN-N: I wasn’t actually thinking in
terms of turning off HTML5, although
it’s an interesting notion. In any event,
I don’t think the typical user ever turns
off anything. It’s up to the client and
server application developers to build
things in such a way that, even in the
face of a wide-open browser, the user
won’t end up getting abused constantly.
JG: I can share how I try to protect myself and how I’ve instructed my mom to
do it. Take two browsers—any modern
browsers that have been updated will
do. The important thing is to have two
of them so you can compartmentalize
risk. The first of these will be the primary browser, the one you use for all
your promiscuous browsing—read the
news, visit your favorite websites, click
on the links in your Twitter feed, and
whatever else you feel tempted to do.
But don’t ever use the primary browser
to do anything with online accounts
you consider sensitive or important.
If you’re using Chrome or Firefox,
you should also turn on ad blocking
and tracker blocking as extensions in
the browser. That’s not just for sanity
purposes, but also to prevent a whole
lot of malware, which often ends up
getting propagated over advertising
networks. Bonus points if you run in
incognito or private mode. That might
save you a little bit of privacy as well.
Another thing you should do is to block
plugins from playing by default. You
can run them whenever you want to
with a right click, but don’t let them
automatically run. Generally, when you
get infected with a virus or a piece of
malware, it’s because of some invisible
plugin that runs automatically.
Your secondary browser is the one
you want to fire up only when it’s time
to do online banking or online shop-
ping or anything involving a credit card
number, an account number, or any-
thing else you want to protect. Once
you have fired up that browser, get in
and do what you need to do quickly,
and then close that thing down.
Building Secure Web Applications
George V. Neville-Neil
Malware Defense Overview
Java Security Architecture Revisited
© 2013 aCM 0001-0782/13/01