I spend a reasonable amount of time writing security articles for the consumer audience over at TidBITS, never mind this site. When I talk about browser security, one of my top tips is to avoid risky behavior and “those” sites. Although that’s pretty standard advice, it’s become a load of bollocks, and I can no longer give it in good conscience.
I spend a lot of time these days focusing on web application security and talking with some of the leading web app researchers like Rnake and Jeremiah Grossman. It’s increasingly obvious that a combination of cross site scripting and some more nefarious web app attacks are destroying the concept of “safe” websites. We’ve seen everything from banks, to security vendors, to advertising servers, to major providers like Google and Yahoo, fall victim to attacks where malicious content is embedded or executed in the context of the trusted sites. PayPal may make a big deal about extended validation digital certificates and colorful anti-phishing banners, yet an EV cert doesn’t do squat if the bad guy sneaks in a little malicious JavaScript and you’ve now run the nasty code in a trusted context.
Today, Dark Reading ran an article on some major security sites with cross site scripting vulnerabilities. Combined with a few beers with Rsnake last week, it pushed me over the edge.
These days, it’s hard to call any site trusted. Thats one reason I’ve shifted to my multi-browser/multi-operating system strategy. Realistically, I can’t tell everyone in the world to adopt my level of paranoia. In part because as bad as things are, most people aren’t suffering real damage because of it. That said, it strongly emphasizes the need not only to keep your system up to date, but to at least split browsers for financial vs. regular sites.
It also strongly points to the need to change the fundamental trust model of browsers, and to push us in the security industry towards solutions like ADMP and browser session virtualization (or better yet, a combination of both).
This isn’t a “the world is ending” post. It’s merely a recognition that “safe” browsing is only a partial security control these days, and one that’s losing effectiveness. We need to think about adopting new strategies before we start seeing more mass exploitation leveraging commonly trusted sites. One that transcends current browser trust models, which do little but make life easier for the smart attackers who take advantage of them.
Oh yeah, and stop wasting money on EV certs.
Reader interactions
One Reply to “There Are No Safe Web Sites”
[…] is quite a hot topic these days and it’s discussed by many security researchers such as rmogull and RSnake. Here’s an interesting article on “What web application security really […]