• Like
  • Save
Browsers: Reloaded - A Look at Next Generation Web Browsers
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Browsers: Reloaded - A Look at Next Generation Web Browsers

  • 824 views
Published

There are a bunch of new "web browsers" hitting the market; some of them even claim to be more "secure"... but are they? What's preventing security from happening.

There are a bunch of new "web browsers" hitting the market; some of them even claim to be more "secure"... but are they? What's preventing security from happening.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
824
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Browsers: Reloaded Rafal M. Los Web Application Security SME Hewlett-Packard Application Security Center May 18th, 2009
  • 2. In the future, the battle for control of your online computing experience will be fought in your browser.
  • 3. Overloaded, Overworked, Broken Browser “extensibility” is duct tape & bubble gum Consider how many plug-ins most browsers have-
  • 4. What Do Consumers Want? 1 st Functionality. Then Security made simple. (maybe) Why is this so hard?
  • 5. Why Can’t It Just Work? Functional Secure •“neat” tech •“trusted” tech •Interoperable •Minimalistic •Interactive approach •Extensible Is middle ground just failure for both?
  • 6. Usable Security Users want security features they don’t need to “think” about – “It should just be secure without my help” – Make “security decisions” without compromising the browsing experience – Protect the user from him/herself – … is this even possible?
  • 7. Example: Why NoScript Fails NoScript is security via “plug in” – Fails because • Blocks all script by default • Breaks functionality for the user • Requires the user to make security decisions! – Most common users simply “enable all JS”… • …and are back to square 1 – How many regular users do you know use NoScript?
  • 8. FireFox? IE? Safari? Chrome? With all these options, how is a person to choose the right one? While every browser claims to be “more secure”, what does that mean? Is there a legitimate reason for your browser to have a task manager?
  • 9. Example: Chrome’s Tabs Should your sessions persist across multiple tabs? Windows?
  • 10. Example: Chrome’s Tabs What do you suppose is the result?
  • 11. Example: Chrome’s Tabs
  • 12. Browser Wish List • Browser framework itself resilient to attack – One window/tab can’t crash another? • Reduced attack surface for plug-ins – Limit how much damage a plug-in can do • No session persistence across windows/tabs – Why does this even exist today? • Basic security features? – Provide basic defense against client-side attacks
  • 13. Are Modern Browsers Secure? No. Internet Explorer, FireFox, Chrome, Safari … all have the same basic flaws.
  • 14. Rafal Los HP Application Security Center Email: Rafal@HP.com Direct: (404) 606-6056 Twitter: RafalLos Blog: http://www.communities.hp.com/securitysoftware/blogs/rafal