Browser security has advanced in recent years. The top browsers - Internet Explorer, Firefox, Safari, Chrome and Opera - all provide security indicators like green bars for extended validation certificates and padlocks. Google Chrome uses a security architecture with separate protection domains for the browser kernel and rendering engine. Private browsing and parental controls allow for more private web use. The W3C Web Security Context specification aims to standardize security context information presented to users across browsers. Users should exercise caution and use security features of their browsers like disabling plugins by default and blocking third-party cookies.
2. About the speaker
● Lead Security Architect, JBoss Division, Red Hat
● Coeditor of W3C Web Security Context Specifica
tion (http://www.w3.org/TR/wscui/)
– Targeted for Web User Agents (Browsers)
3. Overview
● Worldwide browser market
● Topics for Browser Security
● Report Card for the various popular browsers
● W3C WSCUI Specification
● Tips for secure browsing
4. Worldwide Browser Market
● Microsoft IE – 67.55%
● Mozilla Firefox – 21.53%
● Apple Safari – 8.29%
● Google Chrome – 1.12%
● Opera – 0.7%
Net Applications Report, Jan 2009
● http://marketshare.hitslink.com/browsermarketshare.aspx?qprid=1
5. Topics for Browser Security
● Security Indicators
– Green Bar (EVCerts)
– Padlock
● Security Architecture
– Google Chrome
● Private Browsing
● Plugins
● Phishing and Web Site Vulnerabilities
6. Security Indicators
● Extended Validation Certificates (EV Certs)
– Special type of X509 Certificates
● Certificate Policies extension field (Issuer has a oid)
– CA does extensive background checks on requester
– Guidelines issued by CA/Browser Forum
7. Security Indicators – EV Certs
● CA process for EV Certs
– Verifying the legal, physical and operational exis
tence of the entity
– Verifying that the identity of the entity matches offi
cial records
– Verifying that the entity has exclusive right to use
the domain specified in the EV Certificate
– Verifying that the entity has properly authorized the
issuance of the EV Certificate
9. Security Indicators – Padlock
● Browser displays Padlock for a HTTPS site
– Firefox 2 displays a YELLOW address bar.
– FF3 dropped yellow bar – Tools > PageInfo
– Opera displays a yellow bar along with the padlock
10. Security Architecture
● Google Chrome
– Two protection domains :
● Browser Kernel with the OS and
● Rendering Engine with limited privileges in a sandbox
– HTML parsing, Javascript VM, DOM : rendering engine.
● Complex + historical source of security vulnerabilities
– Browser Kernel
● Persistent Resources (Cookies/Password DB)
● OS interaction, user input, network access
“The Security Architecture of the Chromium Browser”,
http://crypto.stanford.edu/websec/chromium/chromiumsecurityarchitecture.pdf
11. Security Architecture
● Google Chrome
– Attacker cannot read/write user file system
● No malware installation
– Two protection domains – one for user, one for web
● 70% of critical browser vulnerabilities avoided
● 30% cannot be avoided via sandboxing
12. Private Browsing
● Temporary state where the browser stores no lo
cal data – cookies, history
● Use cases
– Researching a medical condition
– Surprise vacation/party
– Internet cafes : shared computers on hourly basis
● Apparently an heavily user demanded feature
● IE8, FF3.1, Opera, Google Chrome and Safari
13. Plugins
● Typically plugins run outside of the browser
process with the full rights of the user.
– Plugin crash should not crash the browser
– Adobe Flash plugin needs to write flash cookies
14. Phishing and Web Site
Vulnerabilities
● Phishing
– User taken to a rogue site imitating a legitimate site
– User enters private information (passwords)
● Web Site Vulnerabilities
– Crosssite scripting (XSS)
– Crosssite Request Forging (CSRF)
● Confused Deputy Attack against the browser
– Header Injection
● HTTP headers generated dynamically based on user input
15. Phishing and Web Site
Vulnerabilities
● Browsers maintain a malware list
– WARN users when a site is from the list
– IE8 scheduled to incorporate
– Google shares its list with Firefox and Chrome
● Tracking Cookies
– Browsers provide you options to disable 3rd party
cookies
– Safari by default rejects 3rd party cooking
16. Report Card
IE FF Safari Chrome Opera
EV Certs Y Y Y Y Y
Padlock Y Y Y Y Y
Malware Blacklist Y Y Y Y Y
Private Browsing IE8 FF3.1 Y Y Y
Parental Controls Y (via addons) Y N (Mini)
17. W3C WSC Specification
● W3C WSC Working Group
– W3C, IBM, Mozilla, Opera, Google, Verisign, Oracle,
Wells Fargo etc
– Mission: specify a baseline set of security context
information accessible to Web users, and practices for
secure and usable presentation of this information, to
enable users to come to a better understanding of the
context that they are operating in when making trust
decisions on the Web.
● Targeted for Web User Agents
● http://www.w3.org/TR/wscui/
18. W3C WSC Specification
● Presentation of identity (of website) information
● Error indicators in security protocol
● Augmented Assurance Certificates (EV Certs)
– Mandatory: Organization (O) attribute of Subject
● Validated Certificates (Known Trust Anchor)
● Mixed Content
● Bookmarking API, Software Installation
● Spec includes Use Cases and Threat Trees
19. W3C WSC – Threat Trees
● Luring Attacks
– User taken to a different site than what he believes
● Site Impresonation Attacks
● Cross Site Request Forgery
● Cross Site Scripting
● Network based eaves dropping
– Session hijacking, credential stealing or private info
20. Tips for Secure Browsing
● Microsoft Internet Explorer Tips (Source:MS)
– Set your browser security to High
– Add safe websites to trusted sites
– Block pop up windows
● Avoids installation of malicious code
21. Tips for Secure Browsing
● Websites with plugins containing peer to peer
technology may install software/viruses
– Sites with plugins displaying International TV/sports
● Disable Javascript by default if possible.
– NoScript firefox extension can enable it for trusted sites
● Lock down browser configuration based on policies
● Tracking Cookies
– Browser setting to disable auto cookie setting>Block 3rd
party cookies