Article development led by
A discussion with Jeremiah Grossman,
Ben Livshits, Rebecca Bace,
and George Neville-Neil.
it seeMs eVeRY day we learn of some new security
breach. It is all there for the taking on the Internet—
more and more sensitive data every second. As for
privacy, we facebook, we Google, we bank online, we
shop online, we invest online…we put it all out there.
And just how well protected is all that personally
identifiable information? Not very.
The browser is our most important connection to
the Web, and our first line of defense. But have the
browser vendors kept up their end of the bargain
in protecting users? They claim to have done so in
various ways, but many of those claims are thin.
from SSL (Secure Sockets Layer) to the Do Not Track
initiative to browser add-ons to h TML5, attempts
to beef up security and privacy safeguards have fallen well short.
For example, many experts dismiss
the notion that the most widely used
protocol for providing security over the
Internet, the SSL CA (certificate authority) model, actually provides adequate
transport-layer security. But for all its
faults, there is much resistance among
vendors to changing the model.
HTML5 is waiting in the wings,
viewed by many as the next step toward improving the Web experience,
while retaining compatibility with existing browsers. It has been put forth
with great promise, but so far it has
not adequately addressed security
Vendors have attempted to achieve
better browser security by supplying
add-ons for protection, but users first
must know where to find, and then
download, install, and configure them.
That is a lot to ask. It also means first
being aware of the dangers—many
businesses have never heard of cross-site request forgery or clickjacking
and most users have no idea just how
exposed their personal information really is. This is not an easy message to
Likewise, users must be proactive to
derive any protection from the Do Not
Track initiative, a means of requesting
Internet companies to stop following a
user’s every move. Though endorsed by
the W3C and the Federal Trade Commission, it, too, falls short by putting
the burden on generally uninformed
users to opt in rather than making it a
For this case study on browser security ACM has assembled an experienced group to break down some of
the mythical claims of security in today’s browsers and argue the case for
Jeremiah Grossman is founder and
CTO at WhiteHat Security, a leading
provider of Web application security
services, including Sentinel, a website
vulnerability management solution. A
founding member of WASC (Web Application Security Consortium), he is