Is There Room For a Secure Web Browser?

An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting: "'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."

We do not have a malware problem.

[twitter]

M$ has a malware problem. I'm all for better design but we should avoid sweeping generalizations about computer security. It's not a "computer virus" it's a Word Macro, a pdf pass through exploit, an Outlook problem, etc. People who pretend to be "platform neutral" are either ignorant or trying to sell you something second rate. Any platform can use more security but only one of them really needs it.

The general approach sounds much like what any browser, or any program for that matter, already does. A main process calls and monitors subroutines that do different things on demand. Calling the main program a kernel and it's messaging "OS level" does not do much for me. All modern software is as modularized as possible. What's really going on here besides Microsoft Research hype?

Re:Somewhat pointless?

[Bacon Bits]

Don't be so close-minded. The same could have been said for Gecko (Mozilla) or Webkit (Safari) or Opera back in the IE 5/6 heydays.

Please don't link to eWeek

[Animats]

Users with strong privacy protections can't get past the stupid ad screen. Find another source, please.

no

[Kohath]

Security is low on the list of features people notice, so sacrificing anything higher on that list for the sake of security will be perceived as a negative feature.

So no.

Yet another layer to destroy performance.

[Anonymous Coward]

This is just another layer of software to further destroy the performance of our modern PCs. Even just to render a string on-screen in a web app goes through numerous layers on a typical Linux system:
1) The browser's UI layer.
2) The GUI toolkit's high-level rendering layer.
3) The GUI toolkit's low-level rendering layer.
4) Xlib.
5) The network connection, UNIX domain socket or shared memory between the Xlib and the X server.
6) The X server's high-level graphics layer.
7) The X server's low-level graphics layer.
8) The X driver.
9) The Linux kernel.
10) Finally the hardware itself.

So even a "Hello World!" app for a browser goes through at least 10 layers of code, and that's in an ideal situation. It's no wonder that PCs today don't feel any faster than those of a decade ago, even though we've got hundreds of times the processing power and RAM; we keep slowing them down by adding further layers for such basic operations.

Re:Somewhat pointless?

[webmaster404]

No, how Gecko/WebKit got so popular was because of how bad both a) ActiveX was and b) How much of a pain it was to get IE to render simple things. What we need is less bloated browsers, those that don't use up 100+ MB of RAM, along with faster browsers, as for security, as long as it is open-source it will probably be patched and up to date well enough to deal with all the problems except the one typing on the keyboard.

The less functionality the better

[sweet_petunias_full_]

The solution for a more secure browser isn't to guild it with ever-growing layers of security and virtual machines, quite the reverse, it's to keep things simple.

If we allow an internet to exist without the need for complex interpreted languages, if people open mostly static HTML documents when they open web pages instead of opening a pandora's box of plugins, languages, interpreted bytecodes, activeX gotchas and other unnecessary exploitable garbage, then the entire internet will be more secure.

By making it more complex, exploits and backdoors are virtually guaranteed. But well, that's just *my* ignorant opinion.

Re:Ad-free version of article

[noidentity]

How hard is it to look for the "Print version" w/o ads and link to that?

I figure that once everyone starts linking to the "no fucking ads so we can read the article comfortably" link, they'll stop providing it. I, for one, would like this feature to continue to exist.

Security is an annoyance to most peopl

[icepick72]

Security isn't important enough to people right now to make the change away from IE (or older versions of it). A new browser deemed more secure will be met with less interest because those people not wanting to deal with current secure features in Firefox like NoScript and AdBlock plugins, surely they won't want to fiddle with something having even more restraints.

Yes, if it's standards-compliant

[mandelbr0t]

I don't see why this couldn't fly. Samuel King appears to be a well-established professor with solid credentials. It's based on SELinux at present, but they've designed it to work with various other resource segmenting programs (they named AppArmor).

I'd say the key to finding a market will be standards-compliance. If it supports HTML 4 and XHTML reasonably well (like anyone can do it perfectly) and has ECMAScript, then it can work with a properly-designed webapp. While they're designing plugin support, I don't think it matters much whether Flash will be supported. People who care about security don't tend to be distracted by shiny things.

Sure, it won't even come close to top of the browser list. The purpose of this browser, however, is to bring web browsers to locations that can't use them because of security concerns. As a developer, I can certainly say that my productivity is improved with web access - forums, developer documentation, bug reports. I've been at companies that won't let their developers work on the Internet at all, probably for fear of espionage. The web browser is probably the second largest target (after e-mail clients) for malware writers. Web browsers are ubiquitous now, so spending some time researching "white-hat" web techniques is a worthwhile effort regardless, and I'm sure there are some who will find this browser useful. I will continue to use Firefox, despite the security concerns associated with JavaScript and Flash. My tin-foil hat is back in the closet, and I want to keep it there.

Re:Security is an annoyance to most peopl

[WarJolt]

People don't want to deal with it. The other day I was hearing someone complain about vistas security features. However, a secure architecture is different from a security feature. The idea is to prevent exploits and minimize the damage when things go wrong. Ideally the user won't have to enable a setting. I'd adopt it.

Re:Such a great idea

[raddan]

I'm not sure if you're being witty or just naive, but this really does appear to be a general software engineering strategy that works. I don't know much about how Windows' kernel works, so I can't say whether their implementation is any good-- I suspect that their business imperative to provide backward compatibility and rich APIs have probably hindered their efforts on the security front.

But if you go out and look at software that is written to be secure, the subsystem approach is how it is done. Postfix, for example, is actually a collection of simple applications. One application does queueing, one specializes in spewing SMTP, one specializes in receiving SMTP, and so on. Also, system call policy enforcement mechanisms (ala systrace) and privilege separation (like in Apache or SSH) can be formally verified to work. I think UIUC is on the right track here. Whether their browser becomes THE web browser is somewhat unimportant, since they're researching an area of security that has had a fair amount of attention from good programmers but not computer scientists. In some ways this is the ultimate in enforcing "object-oriented"-ness: code isn't just a collection of modules, the application is a collection of small applications, too.

Here's what I want

[British]

How about simply throttling the CPU usage Flash can use in Firefox? The whole system can slow down to a crawl just from ONE ad-laden web page. I'm not on some slouch of a computer, but every once in a while I wonder why things are sluggish. I close the suspect tab and everything's back to normal.

To me a secure browser would be non-modular, and be pretty slim on the list of features.

NO activeX
NO plug-ins, period. Once you introduce a 3rd party software entry point, it's spoiled
No giving out referrer info unless you say so
strict cookie control
mike's ad blocking hosts file built in, and configurable(or something similar)
CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".
Javscript turn off URL bars, resizing of windows? I don't think so. Leave that to the user.

And I'm betting there's 20 other things I haven't thought of that's mandatory. The web browser has become so fluidic that there's tons of entry points to a user's system now.

Re:Somewhat pointless?

[piojo]

This browser seems like the sort of thing that big companies might like to install on their workstations. After all, they don't care that much about usability (my university currently has right clicking disabled--there are quite a few things that are harder or impossible if you can't right click). I don't mean to say that this browser will be unusable--it's just that a corporation might sacrifice speed and flexibility for security. This browser might also be good for kiosks.

Yes, it's called IE 7 on Vista (seriously)

[ThinkFr33ly]

I know, I know... this is Slashdot, I shouldn't bother. But IE 7 on Vista (running in Protected Mode [msdn.com]) is pretty damn secure [washington.edu].

While there have been exploits for IE 7, not a single one of them could successfully bypass Protected Mode. I'd say that's a pretty damn good track record for a browser that has been out for about a year and a half and has undoubtedly been targeted by many, many bad guys. (And good guys, for that matter.)

Re:Ad-free version of article

[chubs730]

Because some folks would like to make a living off of this whole internets thing. It's no secret that nobody likes ads, but hosting and bandwidth costs money. This is one reason that all the "I use adblock and I'm going to let you know every chance I get" people bother me. If nobody sees these ads, or clicks them, then the sites you've come to rely on for free will cease to exist.

Besides, you clearly take advantage of the karma bonus that the ad-ridden stories provide ;).

Re:Somewhat pointless?

[hedwards]

Prove to me that security in IE, Firefox, Opera, and Safari is "good enough".

The current number of browser exploits clearly indicates that you are correct.

IE has both activeX and extensions to worry about, on top of being tightly integrated into the core OS. And Firefox has the additional burden of all those extensions that most people use. Removing the extensions makes it significantly easier to audit the code and assure that the end user browser experience is secure. With extensions, they can only QA the browser itself and ensure that the basic API allows sufficiently secure practices.

Personally I like the idea that's being pushed here, and have been wondering for quite some time why there isn't more separation between extensions/plugins and the browser itself. People will use whatever is cheap, fast, pretty, reliable and secure. There is no inherent reason why with all the processing power and extensions to the processor that a browser like this can't nail the other three while being close enough on performance that people don't notice a speed trade off.

This kind of thing can already be done presently. Just in a less efficient and less fine grained manner. Linux or similar in a VM.

Re:Here's what I want

[n6kuy]

What I'd like to know is who's the asshole that designed the functionality into JavaScript that allows it to take control of stuff that it has no business taking control of, such as window decorations, URL bar, status bar, right click menu, etc.

That person oughtta be lynched.

A decent solution

[kylehase]

Just take Firefox Portable [portableapps.com] and disable many of the nasty defaults like third-party cookies etc. Then load all the paranoia extensions like no-script, safecache, safehistory, refcontrol, cslite etc. and you can create a pretty secure browser without having to develop one yourself.

Government model

[Mr. Underbridge]

I thin that's the security model our government uses. Wrap everything in massive layers of bureaucracy and nothing bad happens. Of course, nothing good happens either, but that's OK.

Re:I've got a secure web browser

[x1n933k]

Well not to say that Lynx is perfect but I'd like to note that the first link shows an exploit over 10 years old and the second is almost 3 years old. Both have been addressed.
 
[J]

Re:Somewhat pointless?

[AnonymousCactus]

These guys are researchers, why do you think their goal is to make a separate, competing browser? Generally, that only happens if the market is dumb enough to miss potential, if indeed it has some.
If they show the security advantages can be achieved without hurting other aspects of browser performance, something like Firefox or IE could implement their strategy and claim a big win for security over their competitors. This idea is at least a couple of years old. It would surprise me if it isn't simmering on the back burner of the IE team or someone influential at Mozilla.
As for everyone saying silly things about how programmers should just code better...go take an OS class. Browsers are becoming more like operating systems. Imagine if every program on your computer was essentially working with the same address space except for a few hard-coded rules. Even Windows long ago (like in DOS times) realized that's a broken approach.

Re:The less functionality the better

[dreamchaser]

If we allow an internet to exist without the need for complex interpreted languages, if people open mostly static HTML documents when they open web pages instead of opening a pandora's box of plugins, languages, interpreted bytecodes, activeX gotchas and other unnecessary exploitable garbage, then the entire internet will be more secure.

Yes, and if everyone were to drive 25 miles per hour there would be far fewer accidents on the road.

Re:Somewhat pointless?

[Alsee]

I'm not sure if I get this. The key feature seems this:

The key feature is Trusted Computing.

So who is this product for?

The RIAA, MPAA, and all those people who want to make DRM locked websites where no one can save copies of pictures or any other content from the page, where you can't copy-paste text or anything else, where you can't run any ad-blockers, where you can't view the webpage source, where you can't "deep link", where they can securely track your identity, etc etc etc.

He's this guy's page [uiuc.edu] at The Information Trust Institute (ITI). [uiuc.edu]

Their definition of "secure" is securing computers against the owner.

They do Trusted Comptuting, Trusted Platform Models, DRM, they are even working on a Trusted DRM P2P system. Oh joy, I can't wait to get me some of that Trusted DRM P2P! Woohoo! Yummy! to ensure that distributed multimedia protocols' trustworthiness is enforced in terms of security... security when delivering voice, music... trusted peer-to-peer (P2P) streaming protocols in large-scale ad hoc distributed systems for efficient content distribution... Issues of digital rights management [uiuc.edu]

Come on, don't tell me no one noticed the project name "Opus Palladianum" and thought, "Damn, that sounds like Palladium!" Yep, this is the scheme for a DRM locked down browser running on a DRM hardware locked Palladium system. And yeah, the article mentions that this guy came from Microsoft. Who here is surprised at that? Yeah, me neither.

Yeah, tag this article trustedcomputing. Or treacherouscomputing if you prefer.

-

Plan 9

[spidr_mnky]

As parent says, the product doesn't have to gain great popularity to have a great effect on the field, especially after a few years.

Plan 9 never "made it big", but it wasn't supposed to. Now most Unix systems have adopted ideas from Plan 9, like the /proc filesystem, and more concepts are being ported still, such as PortalFS, applying the theory that everything should be a file to network sockets.

Plan 9 isn't a superstar, and in my personal opinion it's a pain to try to use, but it's considered a highly successful project. I'd like to try this browser, just because it sounds cool, even if it isn't my new browser of choice. I hear people praise Firefox, not because it's the best browser ever, but because it put pressure on Explorer to keep up with the market.

Proof of concept is worth a lot.

Re:Somewhat pointless?

[jlarocco]

Maybe you should transfer. If they hire admins that bad, what does it say about the rest of their staff?

Re:Somewhat pointless?

[piojo]

Maybe you should transfer. If they hire admins that bad, what does it say about the rest of their staff?

That's like saying, "Oh, don't study physics at that school--just look at their biology department, it's terrible!" Furthermore, I did think about transferring a few years ago (because of a more relevant concern), but for better or worse, I stayed, and I'm graduating in June. No transfer for me.