None of the major Web browsers is secure, and without significant changes security will continue to be a problem, according to Web security researchers. Increased functionality, the rise of sophisticated attacks, and a resistance among browser makers to integrate security into product development has left browsers more vulnerable to attacks.
Researchers say that through the addition of features and Web 2.0 technologies, browsers have become more open to attack.
Gary McGraw, CTO of Cigital, agreed that an abundance of features has made browsers less secure. We trade functionality for security, he said.
"The trend is in the wrong direction," he said. "Since Mosaic in 1993, browsers look more like complete operating systems than they did back in those days."
However, it would be difficult to find anyone who would want to trade in Firefox for Mosaic. Hansen half-joked at a recent OWASP conference that the only way to avoid a new clickjacking threat was to run the text-based browser Lynx, although such masochism would likely be exhibited among only the most paranoid of Web users.
Competition among browsers
When Google released its browser, Chrome, in September, it faced stiff competition from Microsoft's Internet Explorer, Mozilla's Firefox, Opera, and Apple Computer's Safari. Consumers have many browsers to choose from, but their options for security are still limited. None of the browsers is particularly secure, according to Hansen.
Jeremiah Grossman, founder and CTO of WhiteHat Security, put it more plainly: "There is no browser security."
The "browser wars" both help and hinder security, researchers say.
"While there aren't that many more browser experts out there than there were two years ago, their understanding of browser nuances has definitely increased tremendously with the advent of the browser wars," Hansen said. "Competition is ultimately good, because it can force browsers to look for differentiators."
Security is one of those differentiators. However, features that ultimately hamper security are among the differentiators as well, continued Hansen.
Additional browsers also mean additional work for security and testing professionals.
Mike Kelly, director of testing and quality assurance at Interactions, explained that a "combinatorial problem" arises from the presence of so many browsers and their various versions.
"If you have five browsers, each browser has two versions you support, and you need to support a different variety of security settings, then you have a very large number of platforms to test," he said. "If you assume even something as simple as three different security setting configurations, you're looking at around 5 x 2 x 3 tests -- or 30 different configurations."
Bolting on security
It may seem surprising that, with all of the security features browsers come with now, they would be considered insecure. But security add-ons can't completely make up for a lack of security in the SDLC.
"Web browser security add-ons don't do anything, particularly," Grossman said.
To mitigate risks online, Grossman uses an older browser for sensitive transactions. An old browser lacks security features, but its obscurity makes it a less-attractive target for attackers, he explained. McGraw uses Opera for similar reasons. "An attack aimed at IE it isn't likely to work against Opera," he said.
Hansen is concerned about architectural flaws in browsers. Familiar security issues such as cross-site scripting (XSS) and cross-site request forgery (CSRF), are architectural-level design flaws, he said. Clickjacking, a threat uncovered recently by Hansen and Grossman, falls under the same category. These flaws are far more difficult to fix than bugs in code.
"Fixing them means breaking legitimate functionality that exists on the Internet," Hansen explained. "No one wants that -- so they go unfixed."
Instead, patches are issues and plug-ins are recommended. Hansen said the browsers have bolted on things such as basic and digest authentication, SSL, HTTPOnly, and some other vaguely useful security policies. However, those measures leave browsers only slightly more secure as attacks become dramatically more sophisticated, he said.
Grossman acknowledged that browser makers are in a tough spot when it comes to security.
"In their defense, security is a really hard problem," he said. "They all say they're doing their best. I say it's insecure."
What browser makers and users can do
Security bugs aren't going to disappear, Kelly said, but there is definitely room for browser makers to do more.
"A development team only has months to harden a browser for security exploits while a hacker has years to find new exploits," he said. "I think there is more we can do collaboratively as an industry."
McGraw is more direct. "Browser vendors should practice software security just like everybody else," he said. "In this case, since they have hundreds of millions of users, it's particularly important that they build security in."
Standardized authentication for websites would be a good step toward security, said Hansen. He also predicted that "site security policies that allow websites to tell browsers how to treat their information and what to do once they visit the site is going to be an important future design improvement for browsers."
Hansen recommended that browsers alert users when they are being sent to Intranet 'zones' such as RFC1918 or localhost. "A lot of the more dangerous theoretical attacks are starting to target internal devices from the browser," he explained.
Users should, as always, practice common sense when giving out sensitive information online. Hansen, Grossman, and McGraw all recommended virtualization as a possible safety option, although it isn't practical for individual users. Limiting sensitive transactions to one browser and surfing to another, as Grossman does, helps to compartmentalize risk and is a good alternative for end users.