(Page 2 of 2)
The new security measure is based on suggestions made by Web-security specialist Robert Hansen back in 2005. The researcher had been studying different types of Web attacks and had identified an interesting idea: allowing websites to change the security level of the user's browser.
Hansen turned the idea on its head and, instead, came up with a model that he called Content Restrictions. "The model shouldn't be, if you trust me, disable all the security; the model should be, trust me to tell you not to trust me," says Hansen, who is now CEO of Web security consultancy SecTheory. "If I know a page is bad, then I should be able to tell you that the page is bad."
An engineer at the Mozilla Foundation, Gervase Markham, championed the idea within the Firefox team and further developed the technology, and noted Web security researcher Jeremiah Grossman publicly called for adoption of the technique. Four years later, Mozilla has committed to implementing the technology.
The new Firefox security feature could help block another form of attack, known as clickjacking, which allows an attacker to trick a user into clicking an unsafe button--for example, initiating a bank transfer when she believes that she is sending an e-mail. However, clickjacking is a problem so pervasive that an opt-in model really doesn't work, says Hansen.
Not everyone agrees that such Content Restrictions is the way to go. Microsoft has created a cross-site scripting filter in Internet Explorer 8 that blocks probable attacks from reaching the victim's browser. The company has also introduced a new feature, called X-FRAME-OPTIONS, in Internet Explorer 8, which can be enlisted by sites to restrict the use of scripts in iframes--a trick employed by attackers to run code invisibly.
Such efforts, and the difficulty of incorporating CSP into the software giant's Web architecture, .NET, makes it likely that Mozilla's CSP won't be adopted by other browser makers, argues Vela, who plans to present his own solution at Black Hat. "I sincerely don't think it's going to be largely adopted," he says, "mostly because it's so complicated."
Mozilla, which declined to comment beyond the blog posting, will likely have the technology ready to incorporate into Firefox in 6 to 12 months, says Hansen. "The next step is to get eBay and MySpace to pick it up and say, 'Hey, this is great,'" the researcher says.
The head of Google's Web-spam-fighting team warns that spammers are increasingly attacking websites.
Cyber-defense and capture-the-flag contests will help train future defenders of cyberspace.
Researchers reveal a flaw with the way most Web browsers treat secure connections.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
stradric
33 Comments
Nice idea, but...
I like the idea, but I see the major drawback being that now it's another layer in the generally difficult problem of browser-independent code. Microsoft has their way. Mozilla has their way. If you wanted to implement both, it's probably a giant headache. And of course now there's Opera and Chrome and Safari that won't recognize the Mozilla or Microsoft ways.
It definitely is going to come down to a cost-benefit analysis. It's probably only really going to be used on banking sites and the like.
Reply