The browser has evolved from a simple hypertext reader into a full-blown application platform. Every new feature enlarges the attack surface and adds risk.
Some people try to mitigate these risks by disabling features in the browser’s settings. This is a cumbersome task. Many features are modifyable, yet not easily accessed. Others are set in stone.
Another approach, which is as popular as it is suspect, is to use browser privacy add-ons. Security is often only as strong as its weakest link. Throwing another component into the mix has the potential to cause more problems than it solves.
Here are a few capabilities found in modern browsers that can be used to compromise privacy and security:
- Media Capture API (Webcam / Microphone)
- HTML5 Canvas
- WebAudio
- WebRTC (Peer-to-Peer Communications)
- WebGL (GPU / 3D Graphics Interface)
- Local Storage
- Cookies
- Plug-Ins
- iframes
It would be nice to have a document-centric browser mode that is far stricter than privacy / incognito mode—let’s call it “safe-web mode.”
For safe-web mode, a good start would be:
- no plug-ins
- no JavaScript
- no frames
- no 3rd party cookies
- all cookie information sandboxed within the tab
- all data purged on tab close
- to neuter web beacons, no linked assets (images, audio, iframes, etc.)
- all media assets (images, audio, etc.) are to be embedded in the document as base-64 data URIs
- hyperlink, GET, and POST URLs always fully displayed
- perhaps disable caching to prevent certain forms of timing attack…
Take GMail or Office 365 for example: Both render messages from unknown senders in the browser. As-is, each message must be scrubbed of current known attack vectors. With safe-web mode, these enforcements would be handled automatically by the browser. It would be a win for overall web security to have a higher level of scrubbing built into the infrastructure, instead of leaving it up to every web application provider to implement and re-implement scrubbing on an ad-hoc basis.
Tor would be another use case. Tor is a secure tunneling protocol. Since all of the mainstream browsers are pure attack surface, the Tor Project maintains a modified version of Mozilla Firefox in the hope that it won’t undermine the security or anonymity of their tunneling protocol. Their modified version has an imperfect, yet decent track record. It is not a good thing that they had to roll their own one-off browser just to keep it from leaking information in the first place.
For the Tor case there was, admittedly, a silver lining of actual bad guys being caught. Even so, happy coincidences shouldn’t excuse bad software. The same exploits work just as well against journalists and dissidents as they do against creeps.
Ponder our friends heavily invested in cryptocurrencies like Bitcoin and Ethereum. If you follow the vulnerability lists, moving thousands or even millions of dollars through a web browser—without the protection of an indermediary who can void the transaction if things go awry—is a harrowing experience. Most enthusiasts resort to using either hardware wallets, or some form of minimalistic PC setup for transactions. It would be nice if people could securely transact without resorting to additional hardware or obscure setups.
“It seems that perfection is attained not when there is nothing more to add, but when there is nothing more to remove.”
It is probably safe to say that as long as the business model of the web is advertising and surveillance, the trend will continue to favor more attack surface instead of less. Google’s profits are in the tens of billions. It does not take billions to remove. Mozilla Foundation brought in more than half a billion dollars in 2016 to maintain their 3rd place browser. It does not take hundreds of millions to turn-off.
A few current attempts at removing…
If you know of any similar efforts, please send a message or a comment so I can add it to the list!
Brothers in Arms
- “A Prettier Web, Not A Thicker One” (Ted Unangst)
- “Upgrading the Web” (Douglas Crockford)
- “Google Embraces, Extends, and Extinguishes” (Drew DeVault)
- “Firefox Is on a Slippery Slope” (Drew DeVault)
- “Decoupling from Fakebook” (Scott Locklin)
- “Gopher and the Lynx Web” (Jason McBrayer)