<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1626328370711236&amp;ev=PageView&amp;noscript=1">
banner-blog.jpg

blog

Blog-Hero.jpg

My Browser is so 1995!

INTRODUCTION:

Some of the fundamentals of the Web Browser, such as the DOM & Javascript, go back to 1995, 21 years ago. Many other tools & protocols such as Grep, Ping, SMTP & DNS go back even further. However from a user perspective the browser is probably the most used application on an internet enabled device today; making it a major risk for all users of the World Wide Web. Most successful cyber attacks via the web are the direct result of a design that made sense in 1995 but in 2016 is no longer practical. We have seen multiple documented attacks on many popular sites such as CNN, Forbes, The Economist, The Independent and BBC to name a few that have compromised visitors to their site via the use & abuse of Javascript. 

Many of the Web Browser issues today can be traced right back to 1995 when the graphical web browser was just emerging. 1995 - the year for me of Blur, Oasis, Pulp & South Africa winning the Rugby World Cup in South Africa. More pertinent to this blog, Windows 95 came into the world and most relevant of all is the web browser war beginning. Both Microsoft & Opera released their first web browsers, both playing catchup with Netscape who had blazed the way with their new Web Browser UI. As far back as 1995 privacy was a concern. SSL was developed & released by Netscape to provide user privacy on the web

Netscape.jpg 

Netscape had taken the text based browser forward to whole new paradigm - text and images in a webpage. Most relevant to this blog and many web based attacks, Sun Microsystems released their first version of Javascript.

Javascript

Javascript was designed to enhance the user experience & interaction with a website. Amazingly, Javascript was created in only 10 days by Brendan Eich working at Netscape in 1995. Now back in 1995 it was completely practical that if you went to a website and it used one or two pieces of Javascript executed by your browser only from the site you visited that was not such a risk. But, if we fast forward to 2016 and if use the example of a popular Danish website today that executes over 475 pieces of Javascript from over 50 sources (of which 49 of the 51 sources of Javascript are not from websites you asked for explicitly) you have to wonder if this is still a seems like a good idea? Herein lies the problem of the web browser in 2016.

domstats-dk.jpg

One of the fundamentals of the web browser is the DOM - the Document Object Model - which is used to render and execute content from a web server to a web browser and ensure it is presented correctly.

“The DOM originated as a specification to allow JavaScript scripts and Java programs to be portable among Web browsers”

The DOM evolved to enable the end-user browser software to interact in real time with a website and modify the HTML dynamically, giving the user a richer experience. With the release of Javascript from Sun Microsystems & Jscript from Microsoft the web surfing experience was only getting better.

In 1995 the existing DOM model made total sense but fast forward to 2016 and its valid to question the design today with one such exmaple above . With the enormous wave of attacks delivered via the web browser, the rapid rise of Ransomware and the sheer number of security solutions failing to successfully stop attacks mean it’s time to reconsider things. One UK organsiations I met recently told me that 50% of their malware infections are from browser based attacks. 

Chrome recently announced blocking Flash content by default and late last year announced they were no longer sustaining support for Java. Whitehat have recently launched support to scan Javascript code recently as well to help businesses reduce Javascript based vulnerabilities. The Browser developers are having to improve security by restricting code that can execute inside their browser. This seems like the wrong place to win this battle - as the user experience is going to suffer sadly albeit at the price of better security. Shouldn’t the industry be fixing the Browser architecture in parallel - by moving the fetch and execution of code away from the local browser and render content locally afterwards. The benefits become clear - remove active code executing client side and improve resistance to attacks.  

CONCLUSION:

The web browsers we use every single day still rely on some rather outdated technology that dates back to 1995. The risk of fetching, downloading and executing javascript and other active code client side remains a major threat to users on the web. Ransomware is just the latest tool that rides on the basic design weakness of web browsers we all need to work to rectify. Detection technologies will always find some bad stuff on the web but it’s always going to be too little, too late. Organisations need to embrace new security capabilities such as Isolation that enable browsers to be more resistant & hardened to attacks and prevent infections from occurring. Learn more about Menlo’s approach to solving the web browser risk via Isolation here.



 

Tags: malware, browser, ransomware, architecture

Connect with us

Lists by Topic

see all

Recent Posts