vice (such as the e-commerce interface
for a store at which the victim has an
account). By carefully positioning the
buttons of the game, the attacker can
cause the victim to perform actions
from their store account without knowing that they’ve done so.
Security vs. usability
Usability and security have long been at
odds with each other in software design.
The browser is no exception to that rule.
When browsing the Web or down-loading files the user constantly needs
to make choices about whether to trust
a site or the content accessed from that
site. Browser approaches to this have
evolved over time—for example, browsers used to give a slight warning if you
accessed a site with an invalid HTTPS
certificate; now most browsers block
sites with invalid certificates and make
the user figure out how to unblock
them. Similar approaches are taken
with file downloads. Internet Explorer
tends to ask the user several times before opening a downloaded file, especially if the file is not signed. Prompting
the user for actions that are legitimate
most of the time often creates user fatigue, which makes the user careless in
walking the tightrope between software
with a “reasonable but not excessive”
security posture and a package that is
either too open for safety or too closed
to be useful. Most browsers today have
evolved from the “make the user make
the choice” model to the “block and require explicit override action” model.
In some cases the security of the
browser has had a major impact on Web
site design and usability. Browsers present a clear target for identity theft malware, since a lot of personal information flows through the browser at one
time or another. This type of malware
uses various techniques to steal users’
credentials. One of these techniques
is form grabbing—basically hooking
the browser’s internal code for sending
form data to capture login information
before it is encrypted by the SSL layer.
Another technique is to log keyboard
strokes to steal credentials when the
user is typing information into a browser. These techniques have spawned various attempts by Web site designers to
provide more advanced authentication
methods, such as multifactor authentication with a hardware token and use of
criminals who are
looking for ways
to turn browser
into money. they
willing to try a
variety of attacks
to see what works.
various click-based keyboards to avoid
key loggers. In some cases some banks
ask the user to authenticate each transaction with a hardware token. Although
some of these techniques definitely improve security, they can place a pretty
heavy burden on the end user.
Another usability feature of the Web
browser that has been attacked by malware is the auto-complete functionality.
Auto-complete saves the form information in a safe location and presents the
user with options for what he typed before into a similar form. Several families
of malware, such as the Goldun/Trojan
Hearse, used this technique very effectively. The malware cracked the encrypted autocomplete data from the browser
and send it back to the central server
location without even having to wait for
the user to log in to the site.
Given all the vulnerabilities out there
and the willingness of attackers to exploit them, you might think that users
would be clamoring for more security
from their browsers. And some of them
do…as long as it doesn’t prevent any of
their desired features from working.
Let’s start with the browser software
itself. From a security engineering perspective, the obvious choice for browser
software (or any software) is to ship it
in a “locked down” state, with all security features turned on, and let the
user or enterprise weaken the security
by enabling functions that they want.
Consumer software that has done this
has generally failed in the marketplace.
Consumers want security, but they don’t
want to think about it or configure it. If
the shipped configuration does what
they want, they probably will not alter
the configuration much, if at all.
So the browser designer faces the
Goldilocks problem. Either the porridge is too cold (not usable because of
the demands of the security lockdown)
or too hot (too easy to abuse because not
enough security measures are in place,
or are too weak). Designing a configuration that is “just right” is nearly impossible because of evolving threats, uncovered bugs, and differing user tolerances
There are a number of documents
available that list steps one can take to
lock down a Web browser. For example,
one of those steps often is something