As use of the cloud continues to burgeon and browsers increasingly take over as the UI/UX of many apps, it's time for companies to take a closer look at the safety, vendor choices, plug-ins and overall security profile of the application hosting platform that browsers now represent.
There is a lot at stake, and there are a lot of stakeholders, including (but certainly not limited to):
- Business users accessing enterprise apps via browsers
- Consumers, who want to get info, be entertained, buy things, pay bills, and socialize
- Marketers, who by tracking consumer activities can help ensure that the ads with the best chance of winning a sale are advertised in the places where consumers go
- Those with interest in data--where you surf, where you click, how you move and scroll through a web page, what you do while you’re at a site and how long you do it for
- UX/UI designers, who want you do make the “right” choices, be able to make these choices quickly, and enjoy your experience along the way
- Cyber criminals and malicious hackers, who want to leverage browsers to steal data, among other things, without being caught doing so
It’s this last camp, of course, that is causing consternation among business leaders and IT pros, and warrants taking a closer look at browser security.
The Broadening of the Browser
In the past, companies would update browsers perhaps annually. Now, they are updated weekly—if not more frequently—to address constant changes in the security, privacy and feature landscape across Windows, Macs and Linux, processor families, and desktop and mobile systems. Each of these platforms must behave similarly across each new version of a browser.
Keeping browsers updated across so much turf isn’t easy to do, especially since browsers themselves have expanded beyond what was once essentially two platforms: Internet Explorer and Safari. The dramatic recent evolution of browsers can be seen in a chart showing their roots.
Sandboxes and Proxies
The security of browsers has evolved in several major ways.
First, the concept of preventing the running user status of a browser from directly touching user machine/OS resources was instantiated through the concept of sandboxing. A sandbox in its simple sense is an interdiction between what user resources a browser page can access—such as file system, memory, invocation of applications or permission to modify something. A proxy is an interloping application that sits in the communications stream between a host running a browser and the web page/app accessed.
The browser sandbox may be as simple as asking the user for permission to do something desired by the application. This might also involve asking a user for the user or system password, depending on the version and the interdiction level supported by the OS. Browser sandboxes have become very sophisticated. The sandbox also prevents snooping and sniffing around the resources of the OS, including devices like webcams.
The use of a user’s storage is more controversial. Cookies, files left by web pages, are used for history, login information and enhancement of the UX. This cache of browsing data, however, also serves the serve-you-ads and tracking-your-data camps. The value of cookies to the consumer is particularly dubious, but to marketers and trackers it’s gold. You will take this data from their cold, dead hands.
The sandbox was initially the prime method to block browser applications from undesirably asserting dominion over hapless user assets (their machines, their passwords, their bank accounts, their webcams, their keystrokes, etc.), but evolutionary browser changes have started to tighten asset protection.
One of the first moves came when Apple decided not to support Adobe Flash—a controversial tactic but one that improved the security of Apple’s Safari browser. In one stroke, an entire industry re-examined Flash or attempted to build alternate platforms (Silverlight from Microsoft was one) to produce similar browser apps.
More recently, browser vendors (Google Chrome was the first large browser developer to do so) started warning users that their conversations were not encrypted or that certain parts of a page might be unencrypted. This saved users from sending easily viewed usernames, passwords or other sensitive info across the internet. And, overcoming decades of unencrypted sloth, the move to HTTPS forced web page hosts to encrypt via a valid security certificate, raising the denominator of basic encryption.
Proxies can be useful. When HTTPS is used (almost everywhere these days), conversations become encrypted via certificates delivered inside a browser and the web page/app being used. By inserting a special certificate, the proxy can become a broker for the HTTPS conversation, and can then use firewall and data stream monitoring techniques to prevent malware transmission. This proxy encryption methodology is behind much of the cloud access security brokerage/CASB thinking.
Site reputation lookup also became a browser feature, although it’s one that may reveal privacy (user request data) information when a site’s reputation is looked up. Today, many sites have become blacklisted through a service offered by Google, but this service may also mean that information about website targets is perused via data gathering. A browser using this selection (some browsers allow opt-out) may store information regarding the site reputation by the URL called by the user.
Mis-typed URLs can be captured through site reputation lookup schemes like Google’s, but at the same deficit of revealing approximate user viewing history, a potential privacy and security issue (and GDPR compliance issue).
Most browsers will permit caching of user credentials for websites--even commonly used fields like email and street address, and other “convenience” items. The use of a browser database is controversial, although access to browser-cached credentials that aren’t cookie-based are sandboxed. Browsers that store passwords are vulnerable to sit-down attacks: Sit down at an unattended browser, and within a few seconds most browsers will reveal passwords, unless the browser has been set (or the OS has been set) to require a password to reveal other passwords. This sandbox washes easily.
Although a Do-Not-Track industry initiative has done little good, some browsers allow users to more easily edit cookies and remove tracking cookies. Cookie actions can also be somewhat thwarted through the use of a genre of add-ins called privacy guards or cookie blockers that prevent tracking either by disabling scripts or by blocking responses to tags that report/interact with users.
The EFF’s Privacy Badger is one such blocker; Ghostery is another. Neither privacy/tracking app is foolproof, and some websites will block viewers from gazing at their pages when the page logic detects that a user is attempting to download/view a page while using a privacy/tracking/ad blocker.
The browser wars started years ago are still being waged, and as the browser starts to edge out operating system apps in usage, the browser-as-an-operating-system model will continue to stress browser vendors and their users. The armor will become thicker behind the scenes, the sandboxes deeper.
For IT security, there are methods that control browser access when the communications circuits can be controlled. Proxies and CASB provide an external method to protect users, and vendors have differing methods for increasing the depth and hardness of sandboxing techniques. Microsoft has proposed hypervised spontaneous browser instances that spawn browser protection in the virtual machine style. Browsers-in-containers as a protection methodology is surely not far off.