[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

From: andre@xxxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Date: Sat, 11 Aug 2007 19:08:35 -0500

On 8/11/07, Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx> wrote:
> to execute and more importantly what they'd be able to do. Its like
> website permissions for JavaScript defined by a website policy.

It's like trusted path execution, one of the first mechanisms deployed for providing assurance to any platform.

In Phrack issue 52, part 6, "Hardening the Linux Kernel (series 2.0.x)", many new mechanisms for re-architecting security in the kernel were presented. I see blurring lines of similarity... content-restrictions and httpOnly as similar to TPE... the browser "Intranet" problem as similar to group access to sockets and raw packets... and RIA as similar to the ability to turn certain files off for write or make append-only... or hiding processes, etc.

What we have today for providing assurance to the browser may follow the same history as the OS. Some of the best protections are simple barriers like TPE designed in. The next evolutionary step from TPE was something like DigSig which verifies digital signatures before a program is allowed to execute. Signed Java and Javascript also needs to be looked at as browser protection mechanisms. Does the requirement for signed code outweigh content-restrictions? My answer is, "yes", but we still need to provide both. What do you think?

It is also sometimes good to start over. We should all assume that neither IE or Firefox will make it another 3 years. There should be people building browsers with security designed in.

Certain components from IE or Mozilla could end up in future secure browsers. I would rather see re-use of Elinks or Links than these monolithic and huge code-bases. Developers should recognize this need and plan/build for a more assured browser.

Even if Firefox can fix a bug in 10 days - this isn't a metric that demonstrates a more secure product. Assured security can never be bolted on after-the-fact. Mozilla may even create some of the best open-source SCA and fuzzing tools for browsers - but it's not the same as building security in from the start.

Cheers,
dre

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Anurag Agarwal
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Ryan Barnett
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Prasad Shenoy
- Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
  - From: Jeremiah Grossman

Prev by Date: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by Date: RE: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
Previous by thread: Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Next by thread: RE: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site