Communications - January 2013

The problem of CSS history sniffing finally got so bad and became so high profile that approximately 10 years after it first came up, all the major browser vendors finally broke the functionality required for the attack. Many Web developers who relied on the underlying functionality were vocally upset, but apparently this was an acceptable level of breakage from the browser vendors’ perspective.

When the breakage is not acceptable, but the issue is still bad, new opt-in browser security features are put forth. They generally have low adoption rates. Prime examples are Content Security Policy, X-Frame-Options, Origin, Strict Transport Security, SSL (Secure Sockets Layer), Secure and HttpOnly cookie flags, and others. Website owners can implement these solutions only when or if they want to, thereby managing their own breakage. What none of these features do is to allow Web users to protect themselves, something every browser should enable its users to do. Right now, Web security is in a holding pattern—waiting for the bad guys to cause enough damage—which then should give enough juice to those with the power to take action.

Beyond the status Quo

The path toward a more secure Web has a few options. We could establish a brand-new World Wide Web, or an area within it. A Web platform designed to be resilient to the current laundry list of problems, however, will forever plague its predecessor. For the moment, let’s assume we technically know how to make a secure platform, which is a big if.

The next step would be to convince the developers behind the millions, potentially hundreds of millions, of important websites to move over and/ or build atop version two. Of course, the promise of a “more secure” platform would not be sufficient incentive by itself. They would have to be offered something more attractive in addition. Even if there were something more attractive, this path would only exchange our backward-compat-ibility problem for a legacy problem, which is likely to take years, perhaps a decade or more, to get beyond.

There is another path—one that
already has a demonstrated model of
success in mobile applications. What
you find there basically amounts to
many tiny Web browsers connected
to the mobile version of the main
website. The security benefit pro-
vided by mobile platforms such as
Apple’s iOS and Google’s Android
is that the applications are isolated
from one another in both memory
and session state.

Related articles on queue.acm.org

Browser Security

Charles Reis, Adam Barth, and Carlos Pizano

http://queue.acm.org/detail.cfm?id=1556050

Security in the Browser

Thomas Wadlow and Vlad Gorelik

http://queue.acm.org/detail.cfm?id=1516164

Cybercrime 2.0: When the Cloud Turns Dark

Niels Provos, Moheeb Abu Rajab, and Panayiotis Mavrommatis

http://queue.acm.org/detail.cfm?id=1517412

Jeremiah Grossman is the founder and CtO of WhiteHat security, where he is responsible for Web security R&d and industry outreach. He is a cofounder of Web application security Consortium (WasC) and was previously named one of Info World’s top 25 CtOs. He serves on the advisory boards of two start-ups, Risk I/O and sd Elements. before founding WhiteHat, he was an information security officer at yahoo!