As browsers accelerate, innovation outpaces security

If you read the report about one of the first Web browser security vulnerabilities, you’d be forgiven for thinking that it was written last week. In 1995, two computer science Ph.D. students at the University of California at Berkeley detailed a way to exploit a serious vulnerability in how Netscape Navigator—then a very popular browser—used encryption to protect online consumer payments.

Twenty-one years later, it doesn’t seem as if much has changed. Web browsers remain difficult to secure precisely because they have become so effective at doing what consumers and site developers want them to do: connect.

“The Web is special because there [are] no installation fees for it. You want to go somewhere, you just go there—it’s done,” says Dan Kaminsky, a security expert who has dedicated his recent work to ending the scourge of clickjacking, a type of Web attack that hides a malicious link under legitimate-looking content.

The Web is “democratizing,” Kaminsky says, because browsers provide “flexibility and freedom” to developers and users alike—and they come preinstalled on nearly all consumer hardware. Other software, he says, has “friction” that slows down access, such as searching in an app store, typing in a password, and installing.

The flip side to that openness is that browsers can be hard to secure. Built-in features enabling activities once seen as extra, such as streaming content, reduce browsers’ reliance on potentially dangerous third-party add-ons. But their continuous, rapid development makes security vulnerabilities as inevitable as the sun rising in the east. And because browsers are consumers’ main software vehicle for accessing the Internet, vulnerabilities can have a massive impact on consumer security.

One annual review of browser security found that the total number of reported vulnerabilities increased by 4 percent from 2014 to 2015. And a Trend Micro blog post last year found uneven support for eight modern security features in Microsoft’s new Edge browser, Google Chrome, and Mozilla Firefox. Edge, threat analyst Henry Li wrote, has reached “security parity” with Chrome, but few people use Edge when compared to Chrome (62.21 percent of desktop users, according to StatCounter) and Firefox (15.37 percent.) Firefox and Microsoft’s mainstay, Internet Explorer, lag far behind on Li’s chart, and he did not include Apple’s Mac-only Safari or Opera in his review.

Browser security flaws have such a major impact on consumer security that hackers participating in an annual browser-hacking contest take home tens of thousands of dollars for finding previously undocumented security holes in major browsers. And quickly addressing those security flaws is important for the sake of more than just safety; an IBM study from 2010 estimates that it’s 100 times more expensive to fix a bug after it has reached the public.

Web-browsing security risks extend to vulnerabilities in the sites browsers access and deliver to your device. A June 2016 WhiteHat Security study found that it takes site publishers an average of 150 days to address most vulnerabilities and an average of 500 days to patch high-risk vulnerabilities. That’s plenty of time for a hacker to drive an attack through a hole.

Safe browsing requires securely designed technology, “knowledge, training, and discipline” from website developers, as well as “education and awareness” on the part of users. — Giorgio Maone, creator of Firefox add-on NoScript.

Apps, predominantly on mobile devices, have changed consumer expectations for Web interaction. Research company eMarketer found that each year, people using mobile devices are spending increasingly more time using native apps than mobile Web browsers. This year, that gap is expected to stretch to 2 hours, 24 minutes per day.

The challenge of sustaining the popularity of Web browsers amid increasing app usage augments the “multifaceted” challenges associated with addressing consumer security on the Web, says Giorgio Maone, creator of the popular NoScript Firefox add-on, which blocks JavaScript and other plug-ins from running website content unless approved by the user. Safe browsing, he says, requires securely designed technology, “knowledge, training, and discipline” from website developers, as well as “education and awareness” on the part of users.

When using a Web browser, for example, what people see as a single site is actually a complex composition of computer code, pulled in from various sources, says Richard Barnes, the head of Firefox security at Mozilla. Firefox and competitors such as Chrome, Internet Explorer, Edge, Safari, and Opera mark a site as secure only if each source is securely transmitting code, he says.

“Libraries [of computer code], ad providers, and analytics providers must be encrypted,” he says. “When we give you that green-lock icon in your URL bar, we require that all those components are encrypted.”

“Chrome had the advantage of starting, more or less, from a clean slate. On Firefox, we had several years of history and a much larger code base.” — Richard Barnes, Firefox security lead, Mozilla

The vast majority of sites, Barnes says, is at least partially unencrypted. A plethora of digital-rights organizations and tech companies, including Mozilla, Facebook, and the Electronic Frontier Foundation, are sponsoring an initiative called Let’s Encrypt to encourage more full-site encryption; in the meantime, blocking sites that aren’t fully encrypted would render the Web mostly inaccessible. And while many people know to look for a lock icon before submitting personal information to a site, many others don’t.

No two browsers display their secure-browsing lock icons the same. From top to bottom: Google Chrome, Mozilla Firefox, Internet Explorer, and Apple Safari. Screenshot by Seth Rosenblatt/The Parallax

Maone and other browser security experts point to Google’s security work on Chrome as important leadership in making all browsers more secure. Introducing a rapid-release cycle of updates every six weeks, for one, makes it easier to deliver security hole patches to users. Sandboxing its rendering engine also prevents malicious code on Web pages from directly affecting the operating system running the browser. (Eight years later, Mozilla is following suit for Firefox.)

“Chrome had the advantage of starting, more or less, from a clean slate. On Firefox, we had several years of history and a much larger code base,” Barnes says. “That was the major thing—going through that entire dynamic code base and deciding what needs to live on which side of that line. Now that we have that separation established, we’ll be able to move more quickly, in terms of [incorporating] better isolation, stronger separation.”

Although Microsoft has built process sandboxing into its new Edge browser, its implementation of sandboxing in Internet Explorer was notable for a security flaw that put users at higher risk of successful attacks, causing worse damage than would have been possible without the sandbox, according to experts.

Microsoft declined to respond directly to questions about its browser security practices, though a company representative says Edge uses “advanced security technologies” such as “sandboxing, compiler, and memory management techniques.”

Apple, which used to make a version of its Mac browser Safari for Windows but no longer supports it, did not return requests for comment.

Maone notes that while sandboxing is important, it doesn’t address the chicken-and-egg relationship between feature development and potential attacks. Nor can it combat longstanding risks such as phishing or conning users into installing malware through means such as drive-by downloads, and clickjacking, which has plagued browsers since at least 2008.

IronFrame, a clickjacking deterrent that Kaminsky introduced in 2015, sounds very simple: Enable the browser to compare what was supposed to be rendered to what was actually rendered, and block it, if it’s not identical.

“Plug-ins and extensions are usually trying to accomplish something that just isn’t allowed by the browser’s security model—because if it were, you wouldn’t need to extend the browser in the first place.” — Justin Schuh, Chrome security lead, Google

The specification Kaminsky created, on which a developer is working full-time, now has official documentation at the W3C. And at the recent Black Hat computer security conference, Kaminsky announced that using virtualization techniques, he is also working with the Autoclave firewall technology he created to isolate browsers from the devices on which they run.

Another recent browser security development: the broad adoption of HTML5. The latest overhaul of the Web’s programming language enables publishers to encode streaming-media players, complex 2D and 3D graphics, and communication platforms directly into websites. It also reduces exposure to security vulnerabilities accompanying plug-ins such as Java, Flash Player, Silverlight, and QuickTime, says Justin Schuh, who leads the Chrome security team at Google.

“Plug-ins and extensions are usually trying to accomplish something that just isn’t allowed by the browser’s security model—because if it were, you wouldn’t need to extend the browser in the first place,” Schuh says. Phasing out “overtly dangerous” add-ons is essential to the Web’s future, he says.

To that end, Chrome and Mozilla have revealed plans to reduce their support for Flash Player and other plug-ins.

Despite a presumed mutual interest in keeping their users safe, getting browser makers and website publishers to work together to protect users isn’t easy. To keep Web browsers popular and viable, they need to address their legacy security problems, “or people are just going to abandon this platform,” Kaminsky says. “People are browsing the Web like they’re going through a bad neighborhood.”

Update on Tuesday, August 30, with a statement from Microsoft and clarification of Internet Explorer’s use of sandboxing.