Can you imagine trying to use a computer these days without a Web browser? It would be almost impossible, except in limited-use environments. After all, countless applications rely on Web access of some sort or other and countless more will do so in the future.
Heavy reliance on Web browsers and Web servers makes the technologies a common target for potential intruders of all sorts, as evidenced by the influx of new attacks that appear each week. Security improvements for Web technologies are a constant goal for developers, and finally, Web browser makers are cooperating with each other--at least to some extent.
Two weeks ago, several Web developers gathered in Canada to discuss possible joint efforts to improve browser security. The meeting was hosted by George Staikos, core developer of K Desktop Environment (KDE), which is a popular graphical environment for Linux systems. (The KDE Web site is at the URL below.) Attendees included Carsten Fischer and Yngve Nysaeter Pettersen from Opera Software, Frank Hecker from Mozilla Foundation, and Rob Franco and Kelvin Yiu from Microsoft. Apparently, other developers were invited but were unable to attend. According to Staikos, "The aim was to come up with future plans to combat the security risks posed by phishing, aging encryption ciphers and inconsistent SSL Certificate practices."
http://www.kde.org
The first item agreed upon by those in attendance was to minimize use of weak encryption. For example, SSL 2.0 has already been removed from the KDE source code tree; in Microsoft Internet Explorer (IE) 7.0, SSL 2.0 will be disabled by default. Opera, Mozilla, and other vendors will undoubtedly follow. Likewise, weaker ciphers, such as those that use 40-bit and 56-bit keys, will be retired in favor of stronger encryption, and efforts will be made to push Certificate Authorities (CAs) to issue stronger certificates that use 2048-bit (or stronger) keys.
Speaking of CAs, a major focus of the meeting was certificate extensions. The meeting attendees would like to see CAs implement extensions to X.509 certificates that would indicate when a certificate owner has undergone some sort of extra verification process (i.e., a process beyond what's required to obtain a regular certificate). Browser software could make users aware of that stronger verification through visual indicators, such as color and text.
For example, Rob Franco writes in an IEBlog posting about the meeting that in IE 7.0, the address bar will be color-coded depending on the site visited. A red background will indicate sites that are known to participate in phishing. Yellow will represent sites suspected but not confirmed of participating in phishing. White will indicate sites that use a typical SSL certificate; green is "for sites that meet future guidelines for better identity validation. Along with the green fill, our current design for the address bar includes the name of the business alternating with the name of the third party Certification Authority who identified the business. We think this alternating presentation of business name with Certification Authority name is the right balance of user notification and simplicity."
From all reports, there was a lot of discussion at the meeting and the sense that everyone agreed on several ideas. For more details about what was discussed and what might result from the meeting, read the articles written by those who attended. You can read Staikos's comments at the first URL below, the Opera developers' comments at the second URL, the Mozilla participant's comments at the third URL, and the IE 7 developers' comments at the fourth URL.
http://dot.kde.org/1132619164
http://www.opera.com/security/toronto
http://www.hecker.org/mozilla/ssl-ui
http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx
