Dailydave mailing list archives
Re: What a failure of Secure by Design looks like: Web Browsers
From: Dave Aitel via Dailydave <dailydave () lists aitelfoundation org>
Date: Mon, 3 Jun 2024 21:06:47 -0400
[image: image.png] So on one hand, a net completely controlled by Facebook and Apple and every other walled off application "garden" would be a terrible thing. And yet, did we not get just that in a manner of speaking? How healthy would we say the net is right now? Also, I find the security argument against extensions <https://cybernews.com/privacy/google-to-weaken-chrome-ad-blockers-push-for-security/#:~:text=Starting%20June%202024%2C%20adblockers%20such,the%20more%20limited%20V3%20version.> that block ads very weird. Apparently this goes into practice this month? It's always been weird that mobile browsers are not allowed to have ad blockers. Does anyone have depth on this issue they can actually share? -dave On Thu, May 16, 2024 at 11:11 AM Michal Zalewski <lcamtuf () coredump cx> wrote:
As you note, the list is much longer than JIT - web fonts, WebGL, and so on. But I was there, and many of these decisions weren't about not grasping the risk, or prioritizing performance for the sake of it. Rather, they came from a place of terror: look at mobile applications cannibalizing the browser market share! If we don't give people the ability to build applications with as much flexibility as they have natively, the web will start shrinking, and we'll trade an open platform for a universe of walled gardens tightly controlled by companies such as Facebook. And you know, it's hard to offer a good rebuke to that. "Sure, the web might die, but it will die secure". In practice, yeah, some of this didn't matter. Web fonts were essential. WebGL enabled some niche applications, but it didn't revolutionize the platform. Stuff like JS JIT or WebAssembly probably weren't worth the price. But you only know this in retrospect. The fundamental problem with browsers is that the current way we think about them is kind of nuts - i.e., we design them as operating systems that can safely run untrusted code. But if you started with the paradigm that you don't want to expose anything risky or unproven to the world, you'd have ended up with a fairly niche document reader - plus a lot more native apps and monstrosities such as Java in the browser or Macromedia Flash. So at what point do you say "enough"? /mz On Thu, May 16, 2024 at 8:49 AM Dave Aitel via Dailydave <dailydave () lists aitelfoundation org> wrote:I know it's in vogue to pick on enterprise hardware marketed to "Secureyour OT Environment" but actually written in crayon in a language made of all sharp edges like C or PHP, with some modules in Cobol for spice. This is the "Critical Infrastructure" risk du jour, on a thousand podcasts and panels, with Volt Typhoon in the canary seat, where once only the "sophisticated threat" Mirai had root permissions.As embarrassing as having random Iranian teenagers learn how to dosystems administration on random water plants in New Jersey is, it's more humiliating to have systemic vulnerabilities right in front of you, have a huge amount of government brain matter devoted to solving them, and yet not make the obvious choice to turn off features that are bleeding us out.And when you talk about market failure in Security you can't help buttalk about Web Browsers, both mobile and desktop. Web Browsing technology is in everything - and includes a host of technologies too complicated to go into, but one of the most interesting has been Just in Time compiling, which got very popular as an exploitation technique (let's say) in 2010 but since then - for over a decade! - has been a bubbling septic font of constant systemic, untreated risk.Proponents of having a JIT in your Javascript compiler say "Without thiskind of performance, you wouldn't be able to have GMail or Expedia!" Which is not true on today's hardware (Turn on Edge Strict Security mode today and you won't even notice it), and almost certainly not true on much older hardware. The issue with JITs is visible to any hacker who has looked at the code - whenever you have concepts like "Negative Zero" that have to be gotten perfectly every time or else the attacker gets full control of your computer, you are in an indefensible space.I would, in a perfect world, like us to be able to get ahead of systemicproblems. We have a rallying cry and a lot of signatories on a pledge, but we need to turn it into clicky clicking on the configuration options that turn these things off on a USG and Enterprise level, the same way we banned Russian antivirus from having Ring0 in our enterprises, or suspiciously cheap subsidized Chinese telecom boxes from serving all the phone companies across the midwest.The issue with web browsers is not limited to JITs. A Secure By Designapproach to web browsing would mean that most sites would not have access to large parts of the web browsing specification. We don't need to be tracked by every website. They don't all need access to Geolocation or Video or Web Assembly or any number of other parts of the things our web browsers give them, largely in order to allow the mass production of targeted advertising.If we've learned anything in the last decade, it is that the key phrasein Targeted Advertising is "Targeted", and malware authors have known this for as long as the ecosystem existed. The reason your browser is insecure by default is to support a parasitic advertising ecology, enhancing shareholder value, but leaving our society defenceless against anyone schooled enough in the dark arts.Google's current solution to vulnerabilities in the browser is YetAnother Sandbox. These work for a while until they don't - over time, digital sandboxes get dirty and filled with secrets just like the one in your backyard gets filled with presents from the local feral cat community. I know Project Zero's Samuel Groß is better at browser hacking than I am, and he personally designed the sandbox, but I look out across the landscape of the Chinese hacking community and see only hungry vorpal blades and I do not think it is a winning strategy.-dave References: Microsoft's Strict mode turns the JIT off (kudos to Johnathan Norman)https://support.microsoft.com/en-us/microsoft-edge/enhance-your-security-on-the-web-with-microsoft-edge-b8199f13-b21b-4a08-a806-daed31a1929dThe Sandbox: https://v8.dev/blog/sandbox _______________________________________________ Dailydave mailing list -- dailydave () lists aitelfoundation org To unsubscribe send an email todailydave-leave () lists aitelfoundation org
_______________________________________________ Dailydave mailing list -- dailydave () lists aitelfoundation org To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
Current thread:
- What a failure of Secure by Design looks like: Web Browsers Dave Aitel via Dailydave (May 16)
- Re: What a failure of Secure by Design looks like: Web Browsers Michal Zalewski via Dailydave (May 16)
- Re: What a failure of Secure by Design looks like: Web Browsers Dave Aitel via Dailydave (Jun 03)
- Re: What a failure of Secure by Design looks like: Web Browsers Michal Zalewski via Dailydave (Jun 03)
- Re: What a failure of Secure by Design looks like: Web Browsers Andre Gironda via Dailydave (Jun 04)
- Re: What a failure of Secure by Design looks like: Web Browsers Tom Ritter via Dailydave (Jun 04)
- Re: What a failure of Secure by Design looks like: Web Browsers Dave Aitel via Dailydave (Jun 03)
- Re: What a failure of Secure by Design looks like: Web Browsers Michal Zalewski via Dailydave (May 16)