It’s no secret that the Web is the No. 1 attack vector for hackers. That puts Web browsers on the front line of the war against malware, and leaves vendors to decide just how much security to embed in browsers.
The latest versions of the major browsers, from Microsoft Internet Explorer 8 to Google Chrome, have all sought to address security in their own ways. Microsoft, for example, is touting a number of security features in IE 8, from a cross-site scripting filter to clickjacking protection. Google turned to sandboxing in Google Chrome, and included an Incognito mode similar to IE 8’s InPrivate Browsing.
Still, security pros expect to see more features designed to protect users embedded in browsers in the future. Dave Marcus, director of security research and communications at McAfee’s Avert Labs, said browser security is generally in a state of flux. Looking ahead, he expects to see more reputation technologies embedded in the browser, possibly making use of behavioral and script evaluation technologies.
“With financial motivation driving malware, user data is under constant attack, and the browser is certainly one of the main attack points,” Marcus said. “Provided users and businesses are staying current with security technologies, maintain patches and are informed as to trends, they can browse safely.”
That may seem like a lot of conditions, particularly for typical home Web users. For them, the correct mantra could be, “The more embedded security, the merrier.”
“As far as browser security features, anti-phishing was a very good step forward,” Gartner analyst John Pescatore said. “I would like to see that broadened out to include malware sites in general, not just phishing sites … There are open-source services that list these-not as good as the pay sites like the Web security gateway companies-but better than not checking.”
Pescatore continued, “I would also like to see browsers have some way of asserting, ‘I am a browser that has a human typing at a keyboard controlling me,’ so that Web sites could differentiate between actual human beings, bots, spiders, screen scrapers and other automated browser actions. This would take a coordinated effort between the browser companies and the Web server-basically Microsoft and Apache-to do this right. It doesn’t have to be perfect, just has to be hard (not impossible) to hack, to have value.”
Officials at Mozilla and Microsoft, asked recently, did not do much speculating as to what the future holds for browser security. Microsoft highlighted the new features of IE 8; Mozilla, maker of Firefox, spoke of the importance of blacklisting rogue sites.
Addressing some problems, such as clickjacking, will likely mean working alongside researchers. Over the course of IE 8’s development, Microsoft worked closely with those in the security research community to stay on top of new classes of threats, Microsoft officials said.
For vendors, cooperation may be the buzzword of the future.
“Symantec views efforts by browser vendors to increase security in their products as part of a necessary and desirable process to better protect consumers and enterprises … [It’s] a partnership rather than a competition,” said Dean Turner, director of the Global Intelligence Network at Symantec Security Response.