Mozilla’s Firefox and Opera Software’s Opera are making a little bit of history this week with new security features, for which the developers deserve our thanks. Firefox and Opera could be the first Web browsers ever released that attempt to block malicious software, or “malware” for short. Microsoft expects to follow their lead in Internet Explorer.
The Web might be the most dangerous part of the Internet. It has surpassed email as presumably the most lucrative target for organized crime. Years ago, the ratio of spam and infected email to useful email peaked where I worked. That week our postmaster discarded 98 percent of incoming mail as junk. In a much wider context, MessageLabs stopped about 80 percent for their customers during May this year. But while scams and phishing will always be with us, people can learn to resist clicking links in email. Criminals shifted some of their focus to the Web, which was unprepared for them.
Jeremiah Grossman of WhiteHat Security guessed that 70 percent of the world’s Web sites are open to cross-site scripting, also known as XSS, a vulnerability that Symantec reports site administrators usually don’t bother to fix. Grossman and Ofer Shezaf of Breach Security and their colleagues also document Web-based attacks that have really happened.
This user was greeted by only two Web applications this month that knew how to complete a transaction without scripts, one at the United States Postal Service and one at Walgreens. A well-known store, on the other hand, triggered an XSS alert in my shopping cart during the last step of checkout. Frighteningly, my browser gave me a choice: Send my credit card number, or abandon the week’s groceries.
What it takes to avoid and prevent Web-based attacks altogether may sound draconian. Web users can turn scripting off, or they can add an extension like NoScript for Firefox and decide for themselves when to execute scripts. Many web developers think that abstaining from scripts is too limiting – a majority of sites require JavaScript to run. Instead, developers have difficult responsibilities (to validate input, filter output and submit their work to testing and security audits).
Firefox 3 and Opera 9.5 add a bit more help. Opera (pictured below) is probably the first web browser in history to have an anti-malware feature built in. Opera warnings work page-by-page and come from their partners Haute Secure, Netcraft and PhishTank. Firefox integrates site-by-site data from Google and StopBadware. Both Firefox and Opera ask their users not to proceed to web sites that are identified as malicious or fraudulent.
Both browsers allow users to click through their blocks. Mozilla had considered having Firefox stop outright when it encountered a dangerous site. (At the time of the Firefox release, StopBadware tallied about 130,000 bad URLs.) Users would have been constrained, not only from reaching malicious code, but also from reaching Web sites flagged by mistake (for example, by deceptive reporting, untimely re-indexing, or false positives in legitimate reporting).
Mozilla changed its mind. Like the Web standard for danger messages, which is in progress, this welcome change of heart means that users who are not otherwise censored will not be cut off entirely from parts of the Web. Brian Krebs of The Washington Post was the first to note false negatives, the errors in the other direction.
It has been said that Web 2.0 design is not insecure but it has expanded the attack surface, which is a fancy term for making things worse. The JavaScript language, which holds Ajax software together, is among the easiest for budding criminals to learn. In O’Reilly’s “Web Security & Commerce,” the authors said:
“Java and JavaScript are both here to stay, as both of the languages give web developers powerful techniques for creating new content for the Web. Unfortunately, both of these languages have profound security implications. The challenge for software vendors will be to discover ways of making the implementations of these languages secure enough so that users can download and run programs from any web site without fear.”
Simson Garfinkel and Eugene H. Spafford wrote that more than 10 years ago.
In graduate school in 1983, Fred Cohen shared his ideas which became the foundation of antiviral software. For this 25th anniversary of computer antivirus research, celebrate with a “No, thank you” to scripts and a “Thank you!” for the Opera and Firefox developers who decided to keep the Web worldwide.
Susan Lesch owns Textet and lives in San Diego and Minneapolis. She owned Mac Virus 10 years ago, which David Harley operates.
Want to add your voice?
If you’re interested in joining the discussion by writing a Community Voices article, email Susan Albright at salbright [at] minnpost [dot] com.
