Mozilla Firefox, Internet Explorer, Apple Safari ... the list of browsers goes on. Each browser has taken its own approach to embedding security features. Looking ahead, security pros see a future when reputation-related and validation technologies play a bigger part.
It's no secret that the Web is the No. 1 attack vector for hackers. That
puts Web browsers on the front line of the war against malware, and leaves
vendors to decide just how much security to embed in browsers.
The latest versions of the major browsers, from Microsoft Internet Explorer 8
to Google Chrome, have all sought to address security in their own ways.
Microsoft, for example, is touting a number of security features in IE 8, from
a cross-site scripting filter to clickjacking
protection. Google turned to sandboxing in
Google Chrome, and included an Incognito mode similar to IE 8's InPrivate
Browsing.
Still, security pros expect to see more features designed to protect users
embedded in browsers in the future. Dave Marcus, director of security research
and communications at McAfee's Avert Labs, said browser security is generally
in a state of flux. Looking ahead, he expects to see more reputation technologies
embedded in the browser, possibly making use of behavioral and script
evaluation technologies.
"With financial motivation driving malware, user data is under constant
attack, and the browser is certainly one of the main attack points,"
Marcus said. "Provided users and businesses are staying current with
security technologies, maintain patches and are informed as to trends, they can
browse safely."
That may seem like a lot of conditions, particularly for typical home Web users.
For them, the correct mantra could be, "The more embedded security,
the merrier."
"As far as browser security features, anti-phishing was a very good
step forward," Gartner analyst John Pescatore said. "I would like to
see that broadened out to include malware sites in general, not just phishing
sites ... There are open-source services that list these-not as good as the pay
sites like the Web security gateway companies-but better than not
checking."
Pescatore continued, "I would also like to see browsers have some way
of asserting, 'I am a browser that has a human typing at a keyboard controlling
me,' so that Web sites could differentiate between actual human beings, bots,
spiders, screen scrapers and other automated browser actions. This would take a
coordinated effort between the browser companies and the Web server-basically
Microsoft and Apache-to do this right. It doesn't have to be perfect, just has
to be hard (not impossible) to hack, to have value."
Officials at Mozilla and Microsoft, asked recently, did not do much speculating
as to what the future holds for browser security. Microsoft highlighted the new
features of IE 8; Mozilla, maker of Firefox, spoke of the importance of
blacklisting rogue sites.
Addressing some problems, such as clickjacking, will likely mean working
alongside researchers. Over the course of IE 8's development, Microsoft worked
closely with those in the security research community to stay on top of new
classes of threats, Microsoft officials said.
For vendors, cooperation may be the buzzword of the future.
"Symantec views efforts by browser vendors to
increase security in their products as part of a necessary and desirable
process to better protect consumers and enterprises ... [It's] a partnership
rather than a competition," said Dean Turner, director of the Global
Intelligence Network at Symantec Security Response.
Email
Print
