The problem is that browsers are so complex now and with so many APIs they represent an enormous attack surface.

Lambda 1 Minute

The problem is that browsers are so complex now and with so many APIs they represent an enormous attack surface. In this case it’s about tracking users without using cookies by exploiting the browser canvas element.

Originally shared by Roberto Bayardo

Ad & cookie blocking is leading to an explosion in browser fingerprinting as an alternate tracking mechanism. Previously limited to the more sketchy corners of the internet, I see it becoming more mainstream. I hope all the major browser developers aggressively try to contain it. I’m not sure it’s possible to eliminate completely without crippling modern browser functionality, but they should at least be able to make it far more difficult. Good move by Firefox here.

https://nakedsecurity.sophos.com/2017/10/30/firefox-takes-a-bite-out-of-the-canvas-super-cookie/
Unknown's avatar

Published by John Hardy

Closures are a poor man's object. Objects are a poor man's closure.

Published

5 thoughts on “The problem is that browsers are so complex now and with so many APIs they represent an enormous attack surface.

  1. We need to maybe think about relying only on white-listied domains, like by just getting rid of all of the certificate authorities in your browser and only install certificate authorities you trust.

    It is possible web apps may start trending toward the security model used by Linux, Android, or iOS: you get all your apps from a central repository where all apps are vetted by the maintainers, and the only way to get apps from an alternative repository is to explicitly opt-in to trusting that alternative repository.

    Personally, I prefer using the Internet without the browser. Just download the app from your trusted Linux repository and you are off and running, and much faster than any JavaScript engine could ever hope to run.

    Like

    Reply

  5. John Hardy Turnbull delenda est Oh, OK. No, actually I don’t use any Electron apps, as far as I know. Not even GitHub desktop or VSCode.

    I am saying the security challenge with the web as an app platform comes from the fact that the web is designed to run code from anywhere at all, as long as the site you get it from has a certificate verified by one of the authorities that came bundled with your browser.

    Apt is similar but much more restrictive about what code you are allowed to downlaod and execute, so the security problems we see with a browser don’t come up quite as often, although the problems that do occur tend to be more severe unless you are using some kind of sandbox, be it a virtual machine like Java, or a security mechanism like SELinux.

    Ubuntu even lets you install apps from it’s repository via hyperlinks displayed directly in Gtk+ rendered windows.

    Presonally, I still use the Internet without a web browser quite often. I pull content and code using tools like Apt and Git, sometimes BitTorrent. It’s nice because it doesn’t execute the code unless I tell it to, and also I have a choice in which apps I use to view and update content.

    With the web as an app platform, all of that has to be done by the browser hence the complexity you were talking about.

    xkcd.com – xkcd: Installing

    Like

    Reply

Leave a reply to Ramin Honary Cancel reply