Security practitioners constantly hear some variant of the question, “what is the most secure Web browser?”
Any time there is a major vulnerability discovered inone of the major Web browsers, people start scrambling to find something safer. However, doing so is a fool’s errand. In our efforts to flee to better security, we are simply careening from insecurity toinsecurity.
Secunia’s 2015 vulnerability report showed that in 2014 alone there were over 249 significant security patches to Internet Explorer and over 504 patches to Chrome. That is more than one security patch per day for Chrome. Firefox and Safari are no better; their patch reporting just makes it harder to count security patches from others.
While all software has bugs, Web browsers have unique characteristics that make them the source of over 90 percent of undetected malware, according to Palo Alto Networks’ March 2013, The Modern Malware Review. In fact, of all applications, the five most vulnerable are either browsers or browser plugins. Although one browser might be slightly more secure than another at any given moment, they all represent a gigantic security gap.
The reality is there is no such thing as a secure Web browser. To understand how we can make the Web safe for users, we first need to understand why browser security has proven to be impossible – only then can we start to consider strategies that can make it safe again.
Why are browsers so insecure?
Browsers are often the largest and most complex piece of software on a computer after the operating system itself. For instance, Firefox contains about 15 million lines of code, making the well of possible exploits and bugs virtually bottomless. Hackers are not slowing down in discovering new vulnerabilities, and browsers keep growing with new features and capabilities in each version.
Plus, browsers don’t run in a vacuum. Most users have the two biggest exploit generators installed — Flash and Java. Many other users also have other plugins like search bars, social media tools, price comparison tools, video downloaders, popup-blockers, etc. installed. Unfortunately, few plugins have undergone security testing. Some even introduce gigantic new vulnerabilities, like Superfish, which allowed attackers to perform easy man-in-the-middle attacks against SSL to steal passwords and hijack secure Web connections.
Additionally, most applications only provide a limited set of capabilities ,whereas by nature browsers have the ability to execute entire programs downloaded from Websites. HTML5, Java, JavaScript and Flash are all full programing languages capable of performing any logical operation. It’s literally impossible for the people writing browsers to test them against every possible action these programs could take.
Security conundrum
There are several characteristics making browsers and the HTTP protocol particularly difficult to secure. First, browsers support a tremendous variety of file types. While Skype only manages Skype calls, or Microsoft Word only deals with a handful of document file types, browsers must be able to download and display dozens of file types. These files could be compressed, encoded, executable, streaming, etc. Plus, the Web is a real time — or near real time – experience, meaning there is no opportunity to test and scan files in depth as they come across the wire. This often leaves just signature-based detection, which is very weak.
Second, firewalls must be very permissive of Web traffic. Firewalls are most effective when they keep out connections initiated from the outside. They can restrict connection to only certain ports and servers and can severely limit the kinds of content that can reach those servers. With the Web, the connections are initiated from the secure side of the firewall. Users are reaching out and inviting content to come into the network — and that content might legitimately be almost anything. Firewalls generally have to assume that the user really wanted everything their browser requests.
Three security strategies
Minimize damage. The browser is going to be penetrated,but it doesn’t generally contain much sensitive information. Compartmentalize your environment to prevent attackers from accessing sensitive data and resources directly from the compromised browser.
Contain the attack. The initial infection isn’t where the real damage happens. However, attackers use it to launch follow-on attacks on ever more useful and privileged accounts and devices. Ensure that attackers can’t use the browser as a beachhead to expand their attacks into the rest of the network.
Automate recovery. After detecting a breach it can take significant time and effort to lock down the affected machine and restore things to a safe state. This is expensive, and delays might give the attacker time to move on before the infection is cleared. Also, it tends to limit recovery to cases where an infection has been definitively detected. If recovery can be made quick and cheap enough, it can be done when there is even a suspicion of infection. Better yet, the system can be recovered to a safe state very frequently even if nothing has been detected to remove any advanced or zero-day malware.
Fortunately, virtualization technologies have made it possible to cost effectively implement all these strategies — and tremendously improve overall security even in the face of the fundamentally insecure browser.
Running the browser in a dedicated virtual machine that is rolled back after every use can effectively automate recovery. Minimization and containment require properly configuring that virtual machine. For containment, the virtual machine must not share files or folders with the local hard drive, and should be prevented from communicating with the local network. Minimize damage by only using the virtual machine for the browser, not for any other applications or purposes.
These techniques will keep you safe while browsing, even if there is no such thing as a secure browser.
Lance Cottrell is the chief scientist at Ntrepid, is a well-known expert on security, privacy, anonymity, misattribution and cryptography who founded Anonymizer in 1995, which was acquired by Ntrepid (then Abraxas) in 2008. Anonymizer’s technologies form the core of Ntrepid’s Internet misattribution and security products. As Ntrepid’s chief scientist, Cottrell continues to push the envelope with the new technologies and capabilities required to stay ahead of rapidly evolving threats.
