There are a bunch of new "web browsers" hitting the market; some of them even claim to be more "secure"... but are they? What's preventing security from happening.
4. What Do Consumers Want?
1 st Functionality.
Then Security made simple.
(maybe)
Why is this so hard?
5. Why Can’t It Just Work?
Functional Secure
•“neat” tech •“trusted” tech
•Interoperable •Minimalistic
•Interactive approach
•Extensible
Is middle ground just
failure for both?
6. Usable Security
Users want security features they don’t need to
“think” about
– “It should just be secure without my help”
– Make “security decisions” without compromising
the browsing experience
– Protect the user from him/herself
– … is this even possible?
7. Example: Why NoScript Fails
NoScript is security via “plug in”
– Fails because
• Blocks all script by default
• Breaks functionality for the user
• Requires the user to make security decisions!
– Most common users simply “enable all JS”…
• …and are back to square 1
– How many regular users do you know use
NoScript?
8. FireFox? IE? Safari? Chrome?
With all these options, how is a person to
choose the right one?
While every browser claims to be “more secure”,
what does that mean?
Is there a legitimate reason for your browser to
have a task manager?
12. Browser Wish List
• Browser framework itself resilient to attack
– One window/tab can’t crash another?
• Reduced attack surface for plug-ins
– Limit how much damage a plug-in can do
• No session persistence across windows/tabs
– Why does this even exist today?
• Basic security features?
– Provide basic defense against client-side attacks
13. Are Modern Browsers Secure?
No.
Internet Explorer, FireFox, Chrome, Safari
… all have the same basic flaws.
14. Rafal Los
HP Application Security Center
Email: Rafal@HP.com
Direct: (404) 606-6056
Twitter: RafalLos
Blog:
http://www.communities.hp.com/securitysoftware/blogs/rafal