Communications - January 2013

are only too happy to comply. Their choice is simple: be less secure and more user-adopted, or be secure and obscure. This is the Web security trade-off—a choice made by those who do not fully understand, appreciate, or are liable for the risks they are imposing on everyone using the Web.

Nonstarter solutions

To fix login detection, a browser might decide not to send the Web visitor’s cookie data to off-domain destinations (those different from the hostname in the URL bar) along with the Web requests. Cookies are essential to tracking login state. The off-domain destination could still get the request, but would not know to whom it belonged. This is a good thing for stopping the attack.

Not sending cookies off-domain, however, would break functionality for any website that uses multiple hostnames to deliver authenticated content. The approach would break single-click Web widgets such as Twitter’s “Follow,” Facebook’s “Like,” and Google’s “+ 1” buttons. The user would be required to perform a second step. It would also break visitor tracking via Google Analytics, Coremetrics, and so on. This is a clear nonstarter from the perspective of many.

To fix clickjacking, Web browsers could ban iframes entirely, or at least ban transparent iframes. Ideally, browser users should be able to “see” what they are really clicking on. Suggesting such a change to iframes, however, is a losing battle; millions of websites rely upon them, including transparent iframes, for essential functionality. Notable examples are Facebook, Gmail, and Yahoo! Mail. You do not normally see iframes when they are used, but they are indeed everywhere. That level of breakage is never going to be tolerated.

For browser intranet hacking, Web browsers could prohibit the inclusion of RFC-1918 resources from non- RFC-1918 websites. This essentially creates a break point in the browser between public and private networks. One reason that browser vendors say this is not doable is that some organizations actually do legitimately include intranet content on public websites. Therefore, because some organiza-

Dramatic
improvements
in browser security
and online privacy
are held hostage
by backward
compatibility
requirements
related to
how the internet
was designed.

tions (whom you have never heard of and whose websites you’ll never visit) have an odd use case, your browser leaves the private networks you are on, and that of hundreds of millions of others, wide open.

As shocking as this sounds, try looking at the decision not to fix the problem from the browser vendors’ perspective. If they break the uncommon use case of these unnamed organizations, the people within those organizations are forced to switch to a competing “less-secure” browser that allows them to continue business as usual. While the security of all other users increases for the browser that makes the change, that browser vendor loses some fraction of market share.

security Chasm

The browser vendors’ unwillingness to risk market share has led to the current security chasm. Dramatic improvements in browser security and online privacy are held hostage by backward compatibility requirements related to how the Internet was designed. Web-browser vendors compete with each other in trench-style warfare, gaining ground by scratching for a tiny percentage of new users, everyday—users who do not pay them a dime, while simultaneously trying to keep every last user they already have.

It’s important to remember that mainstream browsers are essentially advertising platforms. The more eyeballs browsers have, the more ads are delivered. Ads, and ad clicks, are what pay for the whole party. Anything getting in the way of that is never a priority.

To be fair, there was one important win recently when, after years of discussion, a fix was applied to CSS history sniffing. This is the ability of a website to uncover the history of other websites a user had visited by creating hyperlinks on a Web page and using either JavaScript or CSS to check the color of the link displayed on the screen. A blue link meant the visitor had not been there; purple indicated the user had visited the site. This was a serious privacy flaw that was simple, effective, and 10,000-URLs-per-second fast to execute. Any website could quickly know where you banked, shopped, what news you read, adult websites frequented, among others.