Professional Documents
Culture Documents
MARCH 2010
Web Browser
Security Deep
Dive
run or arent allowed to render content from the Internet. But assuming your enterprise needs to browse the
Internet and seeks a Web browser with an acceptable
level of security, keep reading. A secure browser must
include the following traits as a minimum:
It was coded using Security Development Lifecycle
(SDL) techniques.
It has undergone code review and fuzzing.
It logically separates network and local security
domains.
It prevents easy malicious remote control.
It prevents malicious redirection.
It has secure defaults.
It allows the user to confirm any file download
or execution.
It prevents URL obscurity.
It contains anti-buffer overflow features.
It supports common secure protocols (SSL,TLS,
etc.) and ciphers (3DES, AES, RSA, etc.).
It supports Extended Validation, or EV, digital
certificates. Browsers that support EV certificates
display a special icon, or shade the address bar,
when a user surfs to a site secured by one.
It patches and updates itself automatically (with
the users consent).
It has a pop-up blocker.
It utilizes an anti-phishing filter.
It prevents Web site cookie misuse.
It prevents easy URL spoofing.
It provides security zones/domains to segregate
trust and functionality.
It protects the users Web site logon credentials
during storage and use.
It allows browser add-ons to be easily enabled
and disabled.
It prevents mischievous window use.
It provides privacy controls.
It has been battle tested by hackers over a sufficient period of time.
Another good place to start learning the detailed
basics of Web browser security is Part 2 of the Browser
Security Handbook, maintained by Michal Zalewski. The
Browser Security Handbook gives a great introduction
M A R C H 2 010
User-definable security zones (also known as security domains) are also an important feature. Ultimately,
less functionality translates into better security. Security
zones provide a way to classify various Web sites as more
trustworthy and, hence, suited for greater functionality.
You should be able to trust your companys Web sites significantly more than a Web site offering pirated software
or a small Web page served up by someone you dont
know. Security zones allow you to set various security
settings and functionalities based upon the Web sites
location, domain, or IP address.
Security domains are used in every computer security
product (firewalls, IPSes, and so on) to establish security
boundaries and areas of default trust. Having a security
zone in a browser extends that model. Browsers without security zones encourage you to treat all Web sites
with the same level of trust -- as well as to reconfigure
the browser or use another browser for less trustworthy
Web sites before each visit.
Vulnerability announcements and attacks. How
many vulnerabilities have been found and publicly
announced against the browser product? Are the vulnerability counts going up or down as the vendor patches its
browser? How severe have the vulnerabilities been? Do they
allow full system compromise or denial of service? How
many vulnerabilities are currently unpatched? What is the
history of zero-day attacks against the vendor? How often is
the vendors browser targeted versus a competitors product?
Browser security tests. How did the browser fare
against popularly available browser security test suites?
In this review, all of the products passed the most wellknown browser security tests located on the Internet,
so each item was further exposed to dozens of real-life
malicious Web sites. Often the outcome was not pretty.
I experienced frequent browser lockups, objectionable
content, and sometimes complete system reboots.
Enterprise manageability features. InfoWorld caters to
administrators and technicians who need to accomplish
tasks across an entire enterprise. It is generally easy to secure
a favorite individual browser for personal use, but doing so
for an entire business requires special tools. If the browser
were selected for enterprise use, how easy is it to install, set,
and manage secure configurations for every user?
M A R C H 2 010
BROWSER FINDINGS
BROWSING BEHIND
MANDATORY INTEGRITY CONTROLS
Windows 7 and Windows Vista include a security
construct called Mandatory Integrity Controls (MIC),
which is similar to integrity functionality long available
in the Linux and Unix worlds. In these later versions
INFOWORLD.COM DEEP DIVE SERIES
Common TLS/SSL symmetric ciphers, in order of strongest to weakest (generally), include Advanced Encryption
Standard (AES), Triple DES (3DES), RC4, Data Encryption
Standard (DES), and RC2. Every browser today should be
offering AES as its default symmetric protocol, followed
by 3DES as a backup. The other protocols should only be
used for legacy compatibility or offered last.
Common TLS/SSL asymmetric ciphers, in order of
strongest to weakest (generally), include Elliptical Curve
Cryptography (ECC), Rivest Shamir Adleman (RSA), and
Diffie Hellman (DH, or DHE for key exchange). ECC is the
newly crowned standard for asymmetric ciphers these days,
and included in the U.S. Governments Federal Processing
Information Standards (FIPS) as part of what is called Suite
B. A browser must support Suite B to be considered for use
by the U.S. Government. Browsers should offer ECC as the
first asymmetric cipher, followed by RSA or DH.
HASH FUNCTIONS
The Web is full of cross-site scripting (XSS) attack warnings. Essentially, XSS refers to the injection of malicious
JavaScript into a legitimate Web page, where it can then be
executed in the browsers of innocent visitors. A Web site
is susceptible to XSS if it allows users to upload content
to be shared with others and does not thoroughly inspect
that content to remove potentially malicious scripts.
Take, for example, a Web site that hosts a user contributable blog. Perhaps all the Web developer wanted
was for users to be able to upload plain text, and never
considered that this would also allow scripting. Because
of this oversight, the developer never thinks to filter the
content. Bad mistake.
A common test script used to determine whether a
Web site is vulnerable to XSS is:
Preferred
SSL/TLS cipher
Related notes
Strongest in review,
strong defaults, 34 total
ciphers to choose from
Internet
TLS, RSA, AES,
Explorer 8 128-bit key
beta 2
<SCRIPT>alert(XSS is possible);</SCRIPT>
If you can upload that content to the Web site, and
you can see the alert when the page is viewed, then the
Web site is XSS exploitable. An excellent tutorial on XSS
issues is available on the Open Web Application Security
Project Web site.
Whats the big deal with executing a few unexpected
JavaScript commands? After all, the JavaScript execution can only do what the user can do in the users own
security context, right?
Unfortunately, a lot of bad things can be done in the
users context, especially when the majority of Windows
users are running as Administrators. XSS attacks have
been highly successful at reaching outside of the browser
to steal confidential information the user would otherwise not want to share. In some cases they can cause buffer overflows and even complete system compromise.
Once during my professional penetration testing
days, my team was hired to break into a cable company
through its own cable set top devices. The set top boxes
were completely HTML-enabled and allowed tremendously fine-grained control over the users experience.
They even included a host-based firewall.
A quick check, using the test script string noted above,
M A R C H 2 010
M A R C H 2 010
10