Is There Room For a Secure Web Browser?

An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting: "'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."

Somewhat pointless?

[Izabael_DaJinn]

I'm not sure if I get this. The key feature seems this:

"Our policy removes the burden of security from plug-in writers, and gives plug-ins the flexibility to use innovative network architectures to deliver content while still maintaining the confidentiality and integrity of our browser, even if attackers compromise the plug-in," he said.

Great! :)

But even if it works as planned...this new browser is going to enter the market and who is going to download it? A tiny percentage of internet users--those would be part of the same minority who would also know how to use Firefox (and other browsers) quite safely *right now*.

So who is this product for? Seems interesting from a design point of view, but unelss one of the big browsers adopts it, could it really make even a tiny dent on the security of the internet?

I predict no. The internet's main problem is between the monitor and keyboard ;-)

*iza

Re:Somewhat pointless?

[Bacon Bits]

Don't be so close-minded. The same could have been said for Gecko (Mozilla) or Webkit (Safari) or Opera back in the IE 5/6 heydays.

Re:Somewhat pointless?

[webmaster404]

No, how Gecko/WebKit got so popular was because of how bad both a) ActiveX was and b) How much of a pain it was to get IE to render simple things. What we need is less bloated browsers, those that don't use up 100+ MB of RAM, along with faster browsers, as for security, as long as it is open-source it will probably be patched and up to date well enough to deal with all the problems except the one typing on the keyboard.

Re:Somewhat pointless?

[Bacon Bits]

And why was ActiveX bad? Not just because it was platform specific, but because it was insecure and prone to malware abuse. The model behind ActiveX was inherently flawed because it had too much trust for remote code to be automatically executed. Firefox and Opera are both billed as more secure because they are not subject to the kinds of broad attacks that IE 5 and 6 were.

Mozilla, Safari, and Opera gained market traction by having features that users or developers wanted that were not otherwise available. Security is a feature that many users, developers, and particularly network administrators desire. Say you have a choice between deploying your workstations with Firefox or with Secure Firefox, which one do you pick?

We're nearly to the stage where interface features (bookmarks, tabs, toolbars, javascript, flash, java) are reasonably complete and rendering speed and quality (Acid2, Acid3) is reasonably complete. So we can assume that any modern browser (including this new one) will be fully-featured and acid-compliant when released. It would be inane to do otherwise. So how do you improve browsers from here? Security *is* still an issue with browsers because they are *the* platform of the decade. Why not improve that?

Prove to me that security in IE, Firefox, Opera, and Safari is "good enough".

Re:Somewhat pointless?

[hedwards]

Prove to me that security in IE, Firefox, Opera, and Safari is "good enough".

The current number of browser exploits clearly indicates that you are correct.

IE has both activeX and extensions to worry about, on top of being tightly integrated into the core OS. And Firefox has the additional burden of all those extensions that most people use. Removing the extensions makes it significantly easier to audit the code and assure that the end user browser experience is secure. With extensions, they can only QA the browser itself and ensure that the basic API allows sufficiently secure practices.

Personally I like the idea that's being pushed here, and have been wondering for quite some time why there isn't more separation between extensions/plugins and the browser itself. People will use whatever is cheap, fast, pretty, reliable and secure. There is no inherent reason why with all the processing power and extensions to the processor that a browser like this can't nail the other three while being close enough on performance that people don't notice a speed trade off.

This kind of thing can already be done presently. Just in a less efficient and less fine grained manner. Linux or similar in a VM.

Re:

[Bacon Bits]

Personally, I'm hoping they come up with a good model for combating cross-site scripting (which AFAIK is still a problem in every browser... except perhaps lynx).

Re:Somewhat pointless?

[lymond01]

What we need is less bloated browsers, those that don't use up 100+ MB of RAM

Ask not what else your 100 MB of RAM could have done for you, but what you could do with your other 1900 MB of RAM.

Like government, browsers could me more efficient with their resources. But think of your computer as a country in renaissance -- instead of worrying why you paid $100 for that hammer, question instead what the hammer may allow you to do whatever its cost.

(I'm only half-joking because I'm a satirist, not a realist...then I'd be half-serious.)

Re:

[Hucko]

If you didn't find that funny you are posting to the wrong forum.

Re:Somewhat pointless?

[Dahamma]

or Opera back in the IE 5/6 heydays.

Or Opera in the IE 7/8 heydays, for that matter...

Re:Somewhat pointless?

[denton420]

What is the point in bashing their project? Do you not realize that even if no one uses this particular browser, it sets a precedent that others are likely to follow? Sometimes, you have to create just for the sake of creating. Beyond that, who really knows, this browser could be the next big hit with a little bit of mainstream media exposure. A product that delivers on all of its promises (more so in the IT genre) will have its day.

Plan 9

[spidr_mnky]

As parent says, the product doesn't have to gain great popularity to have a great effect on the field, especially after a few years.

Plan 9 never "made it big", but it wasn't supposed to. Now most Unix systems have adopted ideas from Plan 9, like the /proc filesystem, and more concepts are being ported still, such as PortalFS, applying the theory that everything should be a file to network sockets.

Plan 9 isn't a superstar, and in my personal opinion it's a pain to try to use, but it's considered a highly successful project. I'd like to try this browser, just because it sounds cool, even if it isn't my new browser of choice. I hear people praise Firefox, not because it's the best browser ever, but because it put pressure on Explorer to keep up with the market.

Proof of concept is worth a lot.

Re:

[al0ha]

"The internet's main problem is between the monitor and keyboard " I definitely have to agree with this statement. However I am a little less pessimistic about wide-spread acceptance of a truly secure browser. As an Information Security professional, I definitely welcome the idea and think they are on the right track. Separation of duties and data validation in and out. Once completed, you could count me as being on board in trumpeting its use. Now if we could only do something about the Internet's ma

Re:

[AKAImBatman]

But even if it works as planned...this new browser is going to enter the market and who is going to download it?

Depends. If it's integrated into the popular web browser shells (e.g. FF, IE, Opera, Webkit), then everyone. Which is ultimately how all web technologies are introduced.

Re:Somewhat pointless?

[Deanalator]

If I was offered a browser that was able to contain flash or quicktime 0day, I would switch to it in a heartbeat. For all the security in firefox, 0day still exists, and is used frequently in the environments that I work in. These threats can be mitigated, and we really should be moving towards properly designed software.

link to the paper:
http://www.cs.uiuc.edu/homes/kingst/Research_files/grier08.pdf [uiuc.edu]

Re:Somewhat pointless?

[RuBLed]

I predict no. The internet's main problem is between the monitor and keyboard ;-)

The internet's main problem is a cup of coffee?

Re:

[ModernGeek]

What is between the monitor and keyboard that causes issues with the internet?

Re:

[elrous0]

The head of the idiot who uses them

Re:

[The Evil Couch]

[insert ASCII art of a joke flying over your head here]
[insert "whooshing" sound effect here]

He's pointing out that users are not typically found between the monitor and the keyboard. Now, if the poster had said "monitor and chair" or "keyboard and chair", it'd make a lot more sense.

Re:

[nametaken]

What is between the monitor and keyboard that causes issues with the internet?

Wires. Without them computer security would be easy!

Re:

[amRadioHed]

Ahh yes, bluetooth and Wi-Fi. The answer to all our security problems :)

Re:

[Echelon One]

The internet's main problem is between the monitor and keyboard

So, what, the speakers? The empty bottle of Gatorade that's been sitting on my desk for a week? I think you meant PEBKAC [acronymdb.com] ;)

Re:

[Heembo]

The internet's main problem is between the monitor and keyboard ;-)

I know you meant well, but that is a very ignorant statement. I can be casually surfing the web with a modern browser, and if I hit a site that was hijacked by an attacker, even if I have modern security software installed, I can get hit with JavaScript code that can escape the sandbox, break single origin policy, or (in the past) flat out run OS commands. The browser is an operating system. And a very insecure one at that.

Re:Somewhat pointless?

[AnonymousCactus]

These guys are researchers, why do you think their goal is to make a separate, competing browser? Generally, that only happens if the market is dumb enough to miss potential, if indeed it has some.
If they show the security advantages can be achieved without hurting other aspects of browser performance, something like Firefox or IE could implement their strategy and claim a big win for security over their competitors. This idea is at least a couple of years old. It would surprise me if it isn't simmering on the back burner of the IE team or someone influential at Mozilla.
As for everyone saying silly things about how programmers should just code better...go take an OS class. Browsers are becoming more like operating systems. Imagine if every program on your computer was essentially working with the same address space except for a few hard-coded rules. Even Windows long ago (like in DOS times) realized that's a broken approach.

Re:Somewhat pointless?

[Alsee]

I'm not sure if I get this. The key feature seems this:

The key feature is Trusted Computing.

So who is this product for?

The RIAA, MPAA, and all those people who want to make DRM locked websites where no one can save copies of pictures or any other content from the page, where you can't copy-paste text or anything else, where you can't run any ad-blockers, where you can't view the webpage source, where you can't "deep link", where they can securely track your identity, etc etc etc.

He's this guy's page [uiuc.edu] at The Information Trust Institute (ITI). [uiuc.edu]

Their definition of "secure" is securing computers against the owner.

They do Trusted Comptuting, Trusted Platform Models, DRM, they are even working on a Trusted DRM P2P system. Oh joy, I can't wait to get me some of that Trusted DRM P2P! Woohoo! Yummy! to ensure that distributed multimedia protocols' trustworthiness is enforced in terms of security... security when delivering voice, music... trusted peer-to-peer (P2P) streaming protocols in large-scale ad hoc distributed systems for efficient content distribution... Issues of digital rights management [uiuc.edu]

Come on, don't tell me no one noticed the project name "Opus Palladianum" and thought, "Damn, that sounds like Palladium!" Yep, this is the scheme for a DRM locked down browser running on a DRM hardware locked Palladium system. And yeah, the article mentions that this guy came from Microsoft. Who here is surprised at that? Yeah, me neither.

Yeah, tag this article trustedcomputing. Or treacherouscomputing if you prefer.

-

Re:Somewhat pointless?

[Alsee]

Replying to myself, I just got a look at the technical paper. [uiuc.edu]

On a browse through I don't see anything directly tied to Trusted Computing in there. So maybe I jumped the gun, but this group *is* deep into the Trusted Computing stuff, and the Palladium-esque name sure seems like more than a coincidence, and looking the paper it is exactly the sort of design you'd want to adapt into a Trusted Computing browser.

So I'm still rather suspicious of the intent and connections behind it, but I will retract my positive tagging that it *does* explicitly intend to involve Trusted Computing.

-

Re:Somewhat pointless?

[Corwn of Amber]

An other web browser that no one willl use, for the reasons you mention.

Like it's that hard to securely receive and render webpages. It's a trivial task. Anyone who says the contrary should get a reality check. It's very possible to program without bugs. That's what correctness tests are for. An if your tolkit sucks so much it has security holes, code your own lib from scratch.

Re:Somewhat pointless?

[piojo]

This browser seems like the sort of thing that big companies might like to install on their workstations. After all, they don't care that much about usability (my university currently has right clicking disabled--there are quite a few things that are harder or impossible if you can't right click). I don't mean to say that this browser will be unusable--it's just that a corporation might sacrifice speed and flexibility for security. This browser might also be good for kiosks.

Re:Somewhat pointless?

[irc.goatse.cx troll]

If your university runs windows, try hitting alt+shit+numlock (alt/shift have to be the left side) to enable mouse keys, then with numlock on hit * and then 5 to middleclick.

Fuck silly restrictions.

Re:

[jlarocco]

I'm confused. They "disabled right click"? In web browsers, or in general? What were they trying to achieve? I've never heard of anyone doing that. The more I think about it, the harder I laugh. That's gotta suck.

Re:

[piojo]

They disabled right clicking in general. To rename a file, I have to do "file -> rename". There is no way to look at a folder's properties, because "file -> properties" is also disabled (so good luck freeing up disk on your network space when you can't see the folder sizes). Apparently, it's harder to mess up the computers without right clicking. These restrictions do not seem to apply to Firefox, Java, and some other non-Microsoft apps. Thank God they are written in a way that ignores stupid settings

Re:

[DKlineburg]

F2... That is keyboard shortcut to rename a file. I never right click a file name. To slow.

Re:

[piojo]

Maybe you should transfer. If they hire admins that bad, what does it say about the rest of their staff?

That's like saying, "Oh, don't study physics at that school--just look at their biology department, it's terrible!" Furthermore, I did think about transferring a few years ago (because of a more relevant concern), but for better or worse, I stayed, and I'm graduating in June. No transfer for me.

anchient debate

[x2A]

Just because it runs as seperate 'modules' which communicate using set message passing functions, that can't directly mess with each others memory or the rest of the system, making it a zillion times more stable and secure than Other Browsers(tm), does not mean that it's going to be loads slower, or more complicated to develop for, or harder to find developers that will commit to developing for it. Monolithic browsers are a thing of the past. It's all about the micro-browser now. Just you watch. The Hirp of

Re:

[nitehawk214]

>It's all about the micro-browser now. Just you watch. The Hirp of Internet Replacing Plugins (HIRP) browser will be what drives all of our web needs in the next 2-5 years/decades. You'll see.

I HURD [gnu.org] that this project got delayed.

Re:

[calebt3]

Then they would blame 3rd party attackers.

Re:

[CastrTroy]

What feature on your web browser doesn't run under a limited user. There's no reason you can't start Firefox (or any other browser) as a different user, and just do everything else with your regular old admin user.

part of the solution....

[owlnation]

One quick and easy way to make the web a safer place would be for ActiveX to be shunned by everyone. If you are a web developer, simply refuse to use it.

Re:part of the solution....

[mnmn]

I'll give you an alternative.

Run the browser in a Virtual Machine along with its plugins. When you close it flush all changes to the binaries and keep the changes to the history and cache.

You might not even need VMware to do this, just virtualize the files available to the browser and the memory available to the process. I dont think this will have a performance hit.

Please don't link to eWeek

[Animats]

Users with strong privacy protections can't get past the stupid ad screen. Find another source, please.

no

[Kohath]

Security is low on the list of features people notice, so sacrificing anything higher on that list for the sake of security will be perceived as a negative feature.

So no.

Re:

[eli pabst]

Security is low on the list of features people notice, so sacrificing anything higher on that list for the sake of security will be perceived as a negative feature.

I disagree. Look at the market share that Firefox has picked up, almost exclusively because people were desperate for a browser that would protect them from sites that infected their systems with spyware and malware. If anything using Firefox is more of a pain in the ass because many website developers only beta-test their code in IE.

Ad-free version of article

[jroysdon]

Ad-free version of article [eweek.com].

How hard is it to look for the "Print version" w/o ads and link to that?

Re:

[noidentity]

How hard is it to look for the "Print version" w/o ads and link to that?

I figure that once everyone starts linking to the "no fucking ads so we can read the article comfortably" link, they'll stop providing it. I, for one, would like this feature to continue to exist.

Man, if only Samuel L Jackson were here...

[Anonymous Coward]

He'd know what to say...

Whiny-bitch-free version of the motherfucking link provided by parent. [eweek.com]

or

Really fucking easy, which is why we don't need a karma whoring bitch such as yourself providing the motherfucking thing.

or

About as easy as shutting your editorializing bitchass mouth motherfucker.

Re:

[chubs730]

Because some folks would like to make a living off of this whole internets thing. It's no secret that nobody likes ads, but hosting and bandwidth costs money. This is one reason that all the "I use adblock and I'm going to let you know every chance I get" people bother me. If nobody sees these ads, or clicks them, then the sites you've come to rely on for free will cease to exist.

Besides, you clearly take advantage of the karma bonus that the ad-ridden stories provide ;).

In other news...

[ruinevil]

...emacs is getting a browser. Still no word on the implementation of a usable editor.

Re:

[Constantine XVI]

Everyone always seems to forget viper-mode

I've got a secure web browser

[dudeman2]

Lynx [isc.org].

Re:I've got a secure web browser

[junner518]

Lynx has its problems as well...
http://www.ciac.org/ciac/bulletins/h-82.shtml [ciac.org]
http://securitydot.net/vuln/exploits/vulnerabilities/articles/14814/vuln.html [securitydot.net]

Re:

[x1n933k]

Well not to say that Lynx is perfect but I'd like to note that the first link shows an exploit over 10 years old and the second is almost 3 years old. Both have been addressed.
 
[J]

Re:

[Tycho]

So, how about "telnet", then?

Meh, I thought it was better with "'telnet' then?", but slashdot has a lousy minimum post length. I hope this isn't a quasi-double post, I received a too soon to post again message when I attempted to submit the first time. The problem is on my end, I need to feel less apathetic and replace this particular Logitech G7 mouse with another unused mouse I have that works. The switch for the left mouse button is bad. More often than not if I try do a single left click, it will be

Such a great idea

[rudy_wayne]

Divide your software into subsystems managed by a kernel. That's certainly guaranteed to make things more secure -- just look how well it worked for Windows.

The super-duper-secure safe OS

[sweet_petunias_full_]

OK, if you really want a truly secure safe OS (and by extension, to a browser mapped to the same address space), this is what you need in your OS:

Not one microkernel, for extra safety you need redundant nanokernels, with a microkernel over those, then the user kernel. To prevent buffer overruns, all messages passed between these are sent as emails, with spamassassin checking lest any of them get any ideas about sending spams.

OK, next you need lots of verification. Every time you write to disk there should be a second process to verify that what was written is correct. Then you need a process to check that the verifier process is checking things correctly. If memory doesn't run out while doing this, a body of processes should vote democratically as to whether the whole thing finished correctly. In case of collusion between the processes, some of them will be strictly dice rolls.

The least trusted part of the computer is the user, otherwise known as the "owner" of said computer. Thus, that person should not be allowed to do anything because that is a sure way to introduce problems. Harass that person with questions and popups at every opportunity. That will make sure they go out and read a book and not get in the way of the important things that the operating system is trying to do.

To prevent hardware from crashing any of the kernels, they must be separated by a special interface layer that works a lot like a chat room (IRC). What this means is that devices that speak the protocol correctly can connect and be listened to by the kernel(s). Those that misbehave or that use foul language are kicked off by the watchdog process. The watchdog process is watched by a bulldog process. Sometimes the bulldog just barks, other times the two are wrestling it out on the ground while the rest of the system waits for them to sort out their differences. Alas, such is the price of progress.

To further prevent buffer overruns, a new character encoding is introduced where a previously one-byte code now needs ten bytes to encode it. This means that buffers have to be ten times bigger and thus there is a lot more space before an overrun occurs.

Let me know if you can think of any more features to add to this future super-OS.

Re:The super-duper-secure safe OS

[Zebra_X]

With all those kernels lying around all you are going to get out that design is *popcorn*

Government model

[Mr. Underbridge]

I thin that's the security model our government uses. Wrap everything in massive layers of bureaucracy and nothing bad happens. Of course, nothing good happens either, but that's OK.

Re:

[jhol13]

Free market!

Let all the processes be fully independent, evolving and with absolutely no regulations whatsoever. Give them 100 bucvk (virtual money). They will, according to economists, evolve into free market practically immediately. After that the free market will solve every problem in the most efficient way possible. Security will therefore be better than is possible with any other method.

Re:

[hcdejong]

OK, if you really want a truly secure safe OS (and by extension, to a browser mapped to the same address space), this is what you need in your OS:
[long explanation]

In other words, Windows Vista?

Re:

[Alsee]

Let me know if you can think of any more features to add to this future super-OS.

How about a talking paperclip to help you do stuff? That would be really neat!

-

Re:

[raddan]

I'm not sure if you're being witty or just naive, but this really does appear to be a general software engineering strategy that works. I don't know much about how Windows' kernel works, so I can't say whether their implementation is any good-- I suspect that their business imperative to provide backward compatibility and rich APIs have probably hindered their efforts on the security front.

But if you go out and look at software that is written to be secure, the subsystem approach is how it is done. Pos

The less functionality the better

[sweet_petunias_full_]

The solution for a more secure browser isn't to guild it with ever-growing layers of security and virtual machines, quite the reverse, it's to keep things simple.

If we allow an internet to exist without the need for complex interpreted languages, if people open mostly static HTML documents when they open web pages instead of opening a pandora's box of plugins, languages, interpreted bytecodes, activeX gotchas and other unnecessary exploitable garbage, then the entire internet will be more secure.

By making it more complex, exploits and backdoors are virtually guaranteed. But well, that's just *my* ignorant opinion.

Re:

[dave562]

You're right about the ideal solution for a more secure browser. I think the "problem" is that people are used to a dynamically rich web experience and the challenge then becomes to provide that experience for them as safely as possible. The internet was much safer when I first got onto it. We didn't have web browsers.... just gopher and lynx. Yet ironically enough my first access to telnet came through a misconfigured gopher process that I could kill with a ^Z and get to the telnet prompt. I guess exp

Re:The less functionality the better

[Anonymous Coward]

Web browsers are already complex, and they've been designed without any regard whatsoever for security. It's impossible to go back to static HTML documents by now. So would you prefer that everyone just sticks their head in the sand, and pretends that it'll all go away?

This approach allows for complex browsers to actually become safer, by simplifying them. The browser is broken up into a set of components. Each component runs in a separate process, completely isolated (by the operating system) from the other components. In addition, each component is isolated from the rest of the system using mandatory access controls (SELinux in this case) which prevent the component from doing anything that it doesn't need to do.

The key aspect is that the components only have one way to communicate with each other - a single communications channel which is created by, controlled, and mediated by the kernel process. That means that all interactions between the components are simplified, and can be monitored by the kernel. The kernel itself can be small and simple enough that it's behaviour can be proven correct. The kernel then enforces a security policy.

This approach is known to work - it's similar to the approach used by operating system kernels.

Let's say you break into the rendering component, where the HTML rendering and JavaScript VM reside. You have absolutely no access to the operating system - your only link to the outside world is through the kernel, to the other components. Even if you manage to run native code inside the rendering engine, the operating system won't allow you to access the network, filesystem, or anything else. You only have access to the IPC mechanisms, and even then only to the connection between the rendering component and the kernel.

If your objective is to compromise the operating system through the browser, you can not do that from here. You can't just send a message to the component that handles file access, and get it to load malware onto the system - the kernel will prevent it. Even if you also find a hole in the kernel that allows you to run native code inside the kernel, the kernel doesn't have the ability to access the filesystem either. The filesystem component won't help either - it only has access to a small piece of the filesystem.

If your goal is to steal someone's bank password, you'll still have a tough time of it. The kernel will prevent you from doing anything that doesn't fit within the security policy. Even if you could access a bank password, you're not going to be able to send that information to anyone. If you do have the ability to send that information, you're not going to have access to the passwords.

The idea is not to add complexity - this browser should be no more complex than any other. The idea is to improve security by separating components, isolating them, and verifying that they are not doing anything that they're not supposed to.

It's called "defence in depth" - acknowledging that the system can never be made totally secure, and designing it in such a way that any security breaches won't be able to do any damange, and are able to be tracked for analysis later.

Re:

[Jim McCoy]

> This approach allows for complex browsers to actually become safer, by simplifying them. The browser is broken up into a set of components. Each component runs in a separate process, completely isolated (by the operating system) from the other components. In addition, each component is isolated from the rest of the system using mandatory access controls (SELinux in this case) which prevent the component from doing anything that it doesn't need to do.
[...]
> This approach is known to work - it's simil

Re:

[kesuki]

the best security ideas came around in the 60s and 70s they haven't changed much..

so basically the most secure browsing environment possible is a fully hardened linux from scratch where the browser is being run by a limited user, who can't sudo or su, and where much of the filesystem is made immutable with chattr (chflags for bsd/apple users trying to make a hardened bsd or apple setup),

then hackers no matter how good will just give up on your system, and thank god that microsoft is too retarded to adopt a

Re:

[dreamchaser]

If we allow an internet to exist without the need for complex interpreted languages, if people open mostly static HTML documents when they open web pages instead of opening a pandora's box of plugins, languages, interpreted bytecodes, activeX gotchas and other unnecessary exploitable garbage, then the entire internet will be more secure.

Yes, and if everyone were to drive 25 miles per hour there would be far fewer accidents on the road.

What I want to know is...

[jemenake]

What the hell makes these UIUC people think that they know how to make a browser? You'd think they'd leave this kind of thing to people who've done it before. Sheesh! :)

Re:

[tjstork]

What the hell makes these UIUC people think that they know how to make a browser? You'd think they'd leave this kind of thing to people who've done it before. Sheesh! :)


It's amazing how few people on /. seem to have gotten this joke.

Brooks' Law

[jmorris42]

Well they are just applying Brooks' Law... a bit late but better late than never.

Mosiac begat IE. The original Mosiac authors begat Netscape which begat Mozilla which finally (with a few namechanges we can skip) begat Firefox. Now with over a decade to see just how those original designs failed to scale to what the Internet became it is about time to toss the whole codebase and start over with the knowledge of what didn't work.

Hope they can do it faster than the whole Mozilla rewrite ended up taking.

Re:

[Kent Recal]

Hope they can do it faster than the whole Mozilla rewrite ended up taking.

Hell yea!

I squirm whenever I read about all the manyears they
constantly throw at refactoring the blackhole that is the
mozilla codebase.

Really, how long can it take to write a new browser from scratch?
I'm not saying that it's not a serious undertaking but I would really
love to see what all those skilled mozilla devs could achieve if
all the legacy crap was suddenly taken off their shoulders...

Better yet, I'm sure that not all parts are

Re:

[BootNinja]

according to the article, they are using KHTML/webkit as their rendering module, so they don't plan to do a complete rewrite.

Re:

[rthille]

Next thing you know, CERN will want to produce one!

Kernel, application...

[bluefoxlucid]

I have said for years that an application and a kernel are the same damn thing. I gave up eventually on trying to explain microkernel architecture and how to make an application resistant to faults and attacks because no one listened. Not even when Flash and Java crashed and took down the whole browser (oops). Looks like someone's finally getting the idea of protected mode memory schemes and operating system security policies (which you can apply to different processes, but not different bodies of code..

Security is an annoyance to most peopl

[icepick72]

Security isn't important enough to people right now to make the change away from IE (or older versions of it). A new browser deemed more secure will be met with less interest because those people not wanting to deal with current secure features in Firefox like NoScript and AdBlock plugins, surely they won't want to fiddle with something having even more restraints.

Re:

[WarJolt]

People don't want to deal with it. The other day I was hearing someone complain about vistas security features. However, a secure architecture is different from a security feature. The idea is to prevent exploits and minimize the damage when things go wrong. Ideally the user won't have to enable a setting. I'd adopt it.

Re:

[n6kuy]

> -I'm on a quest for anyness and I am ready.

OK. Just press the 'any' key.

Re:

[nametaken]

As with any product, it's an issue of having to give me what I already have, but better.

If this browser doesn't have working flash, working javascript, and render at least as well as the big two... it gets zero uptake. It's as simple as that. Once it has all those things, THEN if it's more secure it might get some adoption.

Yes, if it's standards-compliant

[mandelbr0t]

I don't see why this couldn't fly. Samuel King appears to be a well-established professor with solid credentials. It's based on SELinux at present, but they've designed it to work with various other resource segmenting programs (they named AppArmor).

I'd say the key to finding a market will be standards-compliance. If it supports HTML 4 and XHTML reasonably well (like anyone can do it perfectly) and has ECMAScript, then it can work with a properly-designed webapp. While they're designing plugin support, I don't think it matters much whether Flash will be supported. People who care about security don't tend to be distracted by shiny things.

Sure, it won't even come close to top of the browser list. The purpose of this browser, however, is to bring web browsers to locations that can't use them because of security concerns. As a developer, I can certainly say that my productivity is improved with web access - forums, developer documentation, bug reports. I've been at companies that won't let their developers work on the Internet at all, probably for fear of espionage. The web browser is probably the second largest target (after e-mail clients) for malware writers. Web browsers are ubiquitous now, so spending some time researching "white-hat" web techniques is a worthwhile effort regardless, and I'm sure there are some who will find this browser useful. I will continue to use Firefox, despite the security concerns associated with JavaScript and Flash. My tin-foil hat is back in the closet, and I want to keep it there.

Re:

[evanbd]

People who care about security don't tend to be distracted by shiny things.

Some of us like our shiny things, but are aware enough of security that we'd rather use a more secure browser. Sure, anyone on a mission critical system can probably live without it, but why shouldn't my home PC that I watch Youtube videos on be secure? If they can make it work, and be usable, I'm all for it.

A link to the paper

[Sam King]

Here is a link to the full research paper [uiuc.edu], we hope you enjoy it!

Very worthwhile project, well done

[Morgaine]

The browser is the single flakiest application in modern operating systems, and has long needed an overhaul to make it robust and protected by design.

In Firefox on Linux, to lose 20 open tabs just because of a single bad web page is incompetent browser design, and Mozilla should be taken to task over it. The fact that some lost sessions can be recovered on restart is just a band aid --- the entire browser should not have gone down in the first place.

A robust browser kernel plus strong MMU-guaranteed separa

Re:

[Deanalator]

Haha, I was going to yell at you that I posted the link to the paper first [slashdot.org] (well, same time anyway), then I realized who you were :-)

I really have just briefly glanced over it at the moment, but it looks interesting. Is there code I can download somewhere? I can't find any on your's or Chris' websites. Also, have you checked out jnode [jnode.org]? Similar to Microsoft's singularity, but actually functional (and in java).

Doomed by Expediency

[bill_mcgonigle]

They're using a rendering engine written in a language that gets its stack smashed by buffer overflows. Nearly all browser security bugs that aren't of the XSS-type are due to buffer overflows.

Next.

Seriously, yes, I'd love to see a secure browser I could recommend for my family's computers, but it's alot of hard ground-up work. (It might actually be faster to write a tool to port the current Gecko/Webkit tree to another language automatically than to start in on a whole new rendering engine in a secure language).

Get started now and the silicon will be fast enough by time the browser is ready.

Re:

[jesser]

Nearly all browser security bugs that aren't of the XSS-type are due to buffer overflows.

Really? Most of the memory-safety bugs I find in Gecko are due to use of dangling pointers. I've only found a few buffer overflow bugs.

Here's what I want

[British]

How about simply throttling the CPU usage Flash can use in Firefox? The whole system can slow down to a crawl just from ONE ad-laden web page. I'm not on some slouch of a computer, but every once in a while I wonder why things are sluggish. I close the suspect tab and everything's back to normal.

To me a secure browser would be non-modular, and be pretty slim on the list of features.

NO activeX
NO plug-ins, period. Once you introduce a 3rd party software entry point, it's spoiled
No giving out referrer info unless you say so
strict cookie control
mike's ad blocking hosts file built in, and configurable(or something similar)
CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".
Javscript turn off URL bars, resizing of windows? I don't think so. Leave that to the user.

And I'm betting there's 20 other things I haven't thought of that's mandatory. The web browser has become so fluidic that there's tons of entry points to a user's system now.

Re:

[recoiledsnake]

CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".

Opera already does this.

Re:Here's what I want

[lithis]

When I press F12 in Opera (or pull down the Tools menu and choose Quick preferences), I get the following menu:

• Open all pop-ups
• Open pop-ups in background
• Block unwanted pop-ups
• Block all pop-ups
• Enable GIF/SVG animation
• Enable sound in webpages
• Enable Java
• Enable plug-ins
• Enable JavaScript
• Enable cookies
• Enable referrer logging
• Enable proxy servers
• Edit site preferences...

It's amazingly simple to enable and disable many irritating features. I keep plugins and animations off at all times, except when I want them.

Re:

[n6kuy]

What I'd like to know is who's the asshole that designed the functionality into JavaScript that allows it to take control of stuff that it has no business taking control of, such as window decorations, URL bar, status bar, right click menu, etc.

That person oughtta be lynched.

Yes, it's called IE 7 on Vista (seriously)

[ThinkFr33ly]

I know, I know... this is Slashdot, I shouldn't bother. But IE 7 on Vista (running in Protected Mode [msdn.com]) is pretty damn secure [washington.edu].

While there have been exploits for IE 7, not a single one of them could successfully bypass Protected Mode. I'd say that's a pretty damn good track record for a browser that has been out for about a year and a half and has undoubtedly been targeted by many, many bad guys. (And good guys, for that matter.)

Re:

[assassinator42]

How does that compare to running Firefox on Vista with UAC/DEP? And is there any way to implement something similar to the other things in Firefox?

plenty of room

[OglinTatas]

I have 180 GB free. That should be enough room. I hope.

bad start

[nguy]

If they want to write a more secure web browser, they shouldn't start with a C++-based layout engine.

A Browser Named Opus?

[Prototerm]

I'd rather wait for one named after Bill The Cat, if you don't mind. I'll "Breathed" easier.

The problem with the web....

[mlwmohawk]

The point of all this is that the browser is insecure. OK, I grok that.

The *problem* is lazy programmers and "who gives a shit" product managers. I worked on a web system a few years ago and they wanted to do a lot of "cross site scripting" and I told them that was bad. They said, write an activeX control to do it. We'll leave the API undocumented and it will be safe. LOL.

Security breaches are the result of "product managers" who demand more than is safe on a web browser, software engineers that are too laz

A decent solution

[kylehase]

Just take Firefox Portable [portableapps.com] and disable many of the nasty defaults like third-party cookies etc. Then load all the paranoia extensions like no-script, safecache, safehistory, refcontrol, cslite etc. and you can create a pretty secure browser without having to develop one yourself.

A secure browser

[jandersen]

Making a secure browser is like making a car that is safe to drive - impossible. Just like driving a car carries some inherent risks because you can't guarantee that other drivers drive safely, you can't make a browser that cannot be used in an way that compromises the security of your system. And just like you have to learn to drive safely, you have to learn to browse safely: don't allow adverts, don't allow Javascript or Flash by default etc. In Firefox at least there are tools that make it easy - eg NoSc

Don't overlook the potential for abuse.

[inTheLoo]

Just think of what Microsoft would like to do with UAC for your browser. "This website is not Microsoft signed, Cancel or Allow?"

Re:

[ScrewMaster]

Just think of what Microsoft would like to do with UAC for your browser. "This website is not Microsoft signed, Cancel or Allow?"

I think this is how it would really be: "This website is not Microsoft signed."

Re:

[willyhill]

All he needs now is to invite the other two sockpuppets and they can have a party.

Never mind [slashdot.org]

Re:

[junner518]

Oprah is definitely better than all other web browsers :p. Good talk show too...

Re:

[SoupIsGoodFood_42]

So? That's what makes the whole system work well and play nicely, isn't it? I'd rather just pay for extra RAM and have a nice, consistent experience (talking about Mac OS X here, but I guess it's a similar situation).