Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Browsers: Reloaded - A Look at Next Generation Web Browsers


Published on

There are a bunch of new "web browsers" hitting the market; some of them even claim to be more "secure"... but are they? What's preventing security from happening.

Published in: Technology
  • Be the first to comment

Browsers: Reloaded - A Look at Next Generation Web Browsers

  1. 1. Browsers: Reloaded Rafal M. Los Web Application Security SME Hewlett-Packard Application Security Center May 18th, 2009
  2. 2. In the future, the battle for control of your online computing experience will be fought in your browser.
  3. 3. Overloaded, Overworked, Broken Browser “extensibility” is duct tape & bubble gum Consider how many plug-ins most browsers have-
  4. 4. What Do Consumers Want? 1 st Functionality. Then Security made simple. (maybe) Why is this so hard?
  5. 5. Why Can’t It Just Work? Functional Secure •“neat” tech •“trusted” tech •Interoperable •Minimalistic •Interactive approach •Extensible Is middle ground just failure for both?
  6. 6. Usable Security Users want security features they don’t need to “think” about – “It should just be secure without my help” – Make “security decisions” without compromising the browsing experience – Protect the user from him/herself – … is this even possible?
  7. 7. Example: Why NoScript Fails NoScript is security via “plug in” – Fails because • Blocks all script by default • Breaks functionality for the user • Requires the user to make security decisions! – Most common users simply “enable all JS”… • …and are back to square 1 – How many regular users do you know use NoScript?
  8. 8. FireFox? IE? Safari? Chrome? With all these options, how is a person to choose the right one? While every browser claims to be “more secure”, what does that mean? Is there a legitimate reason for your browser to have a task manager?
  9. 9. Example: Chrome’s Tabs Should your sessions persist across multiple tabs? Windows?
  10. 10. Example: Chrome’s Tabs What do you suppose is the result?
  11. 11. Example: Chrome’s Tabs
  12. 12. Browser Wish List • Browser framework itself resilient to attack – One window/tab can’t crash another? • Reduced attack surface for plug-ins – Limit how much damage a plug-in can do • No session persistence across windows/tabs – Why does this even exist today? • Basic security features? – Provide basic defense against client-side attacks
  13. 13. Are Modern Browsers Secure? No. Internet Explorer, FireFox, Chrome, Safari … all have the same basic flaws.
  14. 14. Rafal Los HP Application Security Center Email: Direct: (404) 606-6056 Twitter: RafalLos Blog: