Web Application Security

Summary and Guidance for the “I Know…” series

When it’s all said and done, who do these Web and browser security and privacy problems belong to? We could point the finger at the browser vendors for allowing such Web technology abuses without providing adequate controls. Maybe the fault lies with website owners and Web developers who demand and implement features without fully understanding or appreciating the risks. Perhaps it’s the Web standards bodies who have come up short for not addressing these fundamental security and privacy gaps. We could also blame the user for clicking on “dangerous” things.

But what we really need isn’t someone to blame – it’s someone to step up and take responsibility, someone who has an answer and is in the position to make a change. When this will happen is anyone’s guess, but the sooner the better. In the meantime, when you see headlines like “the most secure browser is…,” you’ll have a better perspective on what that means, or rather, what it doesn’t mean.


Presently I feel quite confident and justified in saying that…

Web browsers are NOT “safe.”

Web browsers are NOT “secure.”

Web browsers do NOT protect your “privacy.”



And I didn’t even have to go into the ridiculousness that is the SSL Certification Authority environment. Nor discuss yet another attack technique called DNS Rebinding, which all but eviscerates the same-origin policy, and is for all practical matters — unfixable.

Whether browsing from a desktop computer, laptop, or mobile device, the percentage of our daily lives that depend on the Web is staggering and growing. Many of the most intimate details of our personal lives are stored in unknown databases across the world.

So this is not so much a question of what Google, Facebook, Twitter, LinkedIn, and others know about us, that they log our email and searches, as they try to improve upon our daily lives. The fear is that of the unknown. The concern is everyone and everything else, now and into the future. The unnamed governments, companies, and individuals, who might have use for this information in order to control, or influence our behavior, perhaps even to do us harm. This is a big reason why issues surrounding online “security” and “privacy” are often conflated, because they are heavily dependent on one another, and translate to the physical world.

I think about these things often as my children grow up. As they learn to use the Web. Sure, I know how to protect myself, but how do I protect them? I certainly can’t look over their shoulder 24×7.

So, where does that leave us? How do we truly protect our online experience? To help answer this question, earlier this year I published “Tips for NOT getting Hacked on the Web” and “Web Browser Defense-in-Depth: 3 Layers is Good, 5 is Better.” Both discuss various safeguards that really anyone can do. I’d like to take a moment to discuss a few more, for those who are more technologically advanced or can remember to diligently perform a few extra steps online.

1)  If you use Firefox, the NoScript add-on is where it’s at. Among other protections, NoScript allows you to exercise tighter control over Javascript execution on each website. As you might have noticed, most of the attack techniques discussed require Javascript. So, no Javascript, no attack. But NoScript does cause some website breakage, which has to be tediously managed.

2)  Log-out and dump your “cookies” regularly. Make it tougher on the bad guys. If you are not logged-in, their attack surface is reduced. Also, no cookies, no tracking.

3)  Google Chrome has Incognito Mode. Firefox and Internet Explorer have Private Browsing. Whatever you choose to call it, these features have special protections that prevent various forms of tracking. Use them as often as you can.

4) If you use Internet Explorer 9, the browser has an extremely useful Tracking Protection features. Give the feature a Tracking Protection List and you can control what data the browser sends to third-parties.

I Know…