Is There Room For a Secure Web Browser? 222
An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting:
"'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."
We do not have a malware problem. (Score:0, Insightful)
M$ has a malware problem. I'm all for better design but we should avoid sweeping generalizations about computer security. It's not a "computer virus" it's a Word Macro, a pdf pass through exploit, an Outlook problem, etc. People who pretend to be "platform neutral" are either ignorant or trying to sell you something second rate. Any platform can use more security but only one of them really needs it.
The general approach sounds much like what any browser, or any program for that matter, already does. A main process calls and monitors subroutines that do different things on demand. Calling the main program a kernel and it's messaging "OS level" does not do much for me. All modern software is as modularized as possible. What's really going on here besides Microsoft Research hype?
Re:Somewhat pointless? (Score:5, Insightful)
Please don't link to eWeek (Score:3, Insightful)
Users with strong privacy protections can't get past the stupid ad screen. Find another source, please.
no (Score:3, Insightful)
So no.
Yet another layer to destroy performance. (Score:1, Insightful)
1) The browser's UI layer.
2) The GUI toolkit's high-level rendering layer.
3) The GUI toolkit's low-level rendering layer.
4) Xlib.
5) The network connection, UNIX domain socket or shared memory between the Xlib and the X server.
6) The X server's high-level graphics layer.
7) The X server's low-level graphics layer.
8) The X driver.
9) The Linux kernel.
10) Finally the hardware itself.
So even a "Hello World!" app for a browser goes through at least 10 layers of code, and that's in an ideal situation. It's no wonder that PCs today don't feel any faster than those of a decade ago, even though we've got hundreds of times the processing power and RAM; we keep slowing them down by adding further layers for such basic operations.
Re:Somewhat pointless? (Score:5, Insightful)
The less functionality the better (Score:5, Insightful)
If we allow an internet to exist without the need for complex interpreted languages, if people open mostly static HTML documents when they open web pages instead of opening a pandora's box of plugins, languages, interpreted bytecodes, activeX gotchas and other unnecessary exploitable garbage, then the entire internet will be more secure.
By making it more complex, exploits and backdoors are virtually guaranteed. But well, that's just *my* ignorant opinion.
Re:Ad-free version of article (Score:2, Insightful)
I figure that once everyone starts linking to the "no fucking ads so we can read the article comfortably" link, they'll stop providing it. I, for one, would like this feature to continue to exist.
Security is an annoyance to most peopl (Score:3, Insightful)
Yes, if it's standards-compliant (Score:5, Insightful)
I don't see why this couldn't fly. Samuel King appears to be a well-established professor with solid credentials. It's based on SELinux at present, but they've designed it to work with various other resource segmenting programs (they named AppArmor).
I'd say the key to finding a market will be standards-compliance. If it supports HTML 4 and XHTML reasonably well (like anyone can do it perfectly) and has ECMAScript, then it can work with a properly-designed webapp. While they're designing plugin support, I don't think it matters much whether Flash will be supported. People who care about security don't tend to be distracted by shiny things.
Sure, it won't even come close to top of the browser list. The purpose of this browser, however, is to bring web browsers to locations that can't use them because of security concerns. As a developer, I can certainly say that my productivity is improved with web access - forums, developer documentation, bug reports. I've been at companies that won't let their developers work on the Internet at all, probably for fear of espionage. The web browser is probably the second largest target (after e-mail clients) for malware writers. Web browsers are ubiquitous now, so spending some time researching "white-hat" web techniques is a worthwhile effort regardless, and I'm sure there are some who will find this browser useful. I will continue to use Firefox, despite the security concerns associated with JavaScript and Flash. My tin-foil hat is back in the closet, and I want to keep it there.
Re:Security is an annoyance to most peopl (Score:2, Insightful)
Re:Such a great idea (Score:3, Insightful)
But if you go out and look at software that is written to be secure, the subsystem approach is how it is done. Postfix, for example, is actually a collection of simple applications. One application does queueing, one specializes in spewing SMTP, one specializes in receiving SMTP, and so on. Also, system call policy enforcement mechanisms (ala systrace) and privilege separation (like in Apache or SSH) can be formally verified to work. I think UIUC is on the right track here. Whether their browser becomes THE web browser is somewhat unimportant, since they're researching an area of security that has had a fair amount of attention from good programmers but not computer scientists. In some ways this is the ultimate in enforcing "object-oriented"-ness: code isn't just a collection of modules, the application is a collection of small applications, too.
Here's what I want (Score:4, Insightful)
To me a secure browser would be non-modular, and be pretty slim on the list of features.
NO activeX
NO plug-ins, period. Once you introduce a 3rd party software entry point, it's spoiled
No giving out referrer info unless you say so
strict cookie control
mike's ad blocking hosts file built in, and configurable(or something similar)
CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".
Javscript turn off URL bars, resizing of windows? I don't think so. Leave that to the user.
And I'm betting there's 20 other things I haven't thought of that's mandatory. The web browser has become so fluidic that there's tons of entry points to a user's system now.
Re:Somewhat pointless? (Score:4, Insightful)
Yes, it's called IE 7 on Vista (seriously) (Score:3, Insightful)
While there have been exploits for IE 7, not a single one of them could successfully bypass Protected Mode. I'd say that's a pretty damn good track record for a browser that has been out for about a year and a half and has undoubtedly been targeted by many, many bad guys. (And good guys, for that matter.)
Re:Ad-free version of article (Score:2, Insightful)
Besides, you clearly take advantage of the karma bonus that the ad-ridden stories provide ;).
Re:Somewhat pointless? (Score:4, Insightful)
IE has both activeX and extensions to worry about, on top of being tightly integrated into the core OS. And Firefox has the additional burden of all those extensions that most people use. Removing the extensions makes it significantly easier to audit the code and assure that the end user browser experience is secure. With extensions, they can only QA the browser itself and ensure that the basic API allows sufficiently secure practices.
Personally I like the idea that's being pushed here, and have been wondering for quite some time why there isn't more separation between extensions/plugins and the browser itself. People will use whatever is cheap, fast, pretty, reliable and secure. There is no inherent reason why with all the processing power and extensions to the processor that a browser like this can't nail the other three while being close enough on performance that people don't notice a speed trade off.
This kind of thing can already be done presently. Just in a less efficient and less fine grained manner. Linux or similar in a VM.
Re:Here's what I want (Score:3, Insightful)
That person oughtta be lynched.
A decent solution (Score:3, Insightful)
Government model (Score:3, Insightful)
Re:I've got a secure web browser (Score:2, Insightful)
[J]
Re:Somewhat pointless? (Score:5, Insightful)
If they show the security advantages can be achieved without hurting other aspects of browser performance, something like Firefox or IE could implement their strategy and claim a big win for security over their competitors. This idea is at least a couple of years old. It would surprise me if it isn't simmering on the back burner of the IE team or someone influential at Mozilla.
As for everyone saying silly things about how programmers should just code better...go take an OS class. Browsers are becoming more like operating systems. Imagine if every program on your computer was essentially working with the same address space except for a few hard-coded rules. Even Windows long ago (like in DOS times) realized that's a broken approach.
Re:The less functionality the better (Score:3, Insightful)
Yes, and if everyone were to drive 25 miles per hour there would be far fewer accidents on the road.
Re:Somewhat pointless? (Score:4, Insightful)
The key feature is Trusted Computing.
So who is this product for?
The RIAA, MPAA, and all those people who want to make DRM locked websites where no one can save copies of pictures or any other content from the page, where you can't copy-paste text or anything else, where you can't run any ad-blockers, where you can't view the webpage source, where you can't "deep link", where they can securely track your identity, etc etc etc.
He's this guy's page [uiuc.edu] at The Information Trust Institute (ITI). [uiuc.edu]
Their definition of "secure" is securing computers against the owner.
They do Trusted Comptuting, Trusted Platform Models, DRM, they are even working on a Trusted DRM P2P system. Oh joy, I can't wait to get me some of that Trusted DRM P2P! Woohoo! Yummy! to ensure that distributed multimedia protocols' trustworthiness is enforced in terms of security... security when delivering voice, music... trusted peer-to-peer (P2P) streaming protocols in large-scale ad hoc distributed systems for efficient content distribution... Issues of digital rights management [uiuc.edu]
Come on, don't tell me no one noticed the project name "Opus Palladianum" and thought, "Damn, that sounds like Palladium!" Yep, this is the scheme for a DRM locked down browser running on a DRM hardware locked Palladium system. And yeah, the article mentions that this guy came from Microsoft. Who here is surprised at that? Yeah, me neither.
Yeah, tag this article trustedcomputing. Or treacherouscomputing if you prefer.
-
Plan 9 (Score:4, Insightful)
Plan 9 never "made it big", but it wasn't supposed to. Now most Unix systems have adopted ideas from Plan 9, like the
Plan 9 isn't a superstar, and in my personal opinion it's a pain to try to use, but it's considered a highly successful project. I'd like to try this browser, just because it sounds cool, even if it isn't my new browser of choice. I hear people praise Firefox, not because it's the best browser ever, but because it put pressure on Explorer to keep up with the market.
Proof of concept is worth a lot.
Re:Somewhat pointless? (Score:2, Insightful)
Maybe you should transfer. If they hire admins that bad, what does it say about the rest of their staff?
Re:Somewhat pointless? (Score:3, Insightful)