Web browsers and security unrecognizable over last 27 years

Interviewing ESET’s experts about the Web’s journey so far – part 3

All good things come to an end, and we’re rounding off our series of interviews to mark the 27th anniversary since computer scientist Tim Berners-Lee publicly announced the World Wide Web project

All good things come to an end, and we’re rounding off our series of interviews to mark the 27th anniversary since computer scientist Tim Berners-Lee publicly announced the World Wide Web project

In the last in our series of articles focusing on 27 years of the World Wide Web, we’re joined by ESET Distinguished Researcher Aryeh Goretsky to hear what he has to say about the story of the Web so far and the role of security in it.

What were you up to on August 6, 1991?

In 1991, I was the head of support for McAfee Associates, which was far less glamorous than it sounds. I would have spent the day helping people download our software from our BBS, CompuServe and FTP servers on the Internet, as well as helping them to remove computer viruses.

How have the Web and the Internet as a whole changed over the past 27 years?

It is impossible to describe the impact the web and the internet have had, from an economic, social, or even security perspective. Once the realm of just a handful of technical people, the web has come to encroach on the lives of billions.

Did you expect the Web to revolutionize so many aspects of our lives?

My experience with the Internet dates back to 1989, but it wasn’t until several years later that I saw my first web browser.  Around 1993 or 1994, I was working with a co-worker named Victor who had a very high-end computer (an incredibly powerful 80486 CPU with 16MB of RAM, color video card, etc.).  Victor had installed UNIX onto his new computer, gotten TCP/IP networking to work, then installed X Windows and Motif in order to run NCSA Mosaic, the first well-known web browser. I remember him being so enthusiastic about it.  “Aryeh, Aryeh, come here, you have to see this!” he exclaimed, then proceeded to sit me down next to his computer, where he loaded a text-only web page, resized the browser several different times to show how text reflowed and wrapped to fit the new dimensions of the browser window, and clicked back-and-forth through a few hyperlinks. Victor loudly proclaimed “This is the future of computing” and how it would change things.

I told Victor that he was crazy—it required too many steps for people to get a working TCP/IP stack installed, and Internet connections were too difficult for the average person to set up.  I had managed to get it set up, barely, a few times, with help from our network admin, but it was still unreliable and crashed all the time.  Victor insisted these were temporary issues, and the World Wide Web was our future.

Twenty-seven years later, I’m still working in computer security. Victor is retired, and I understand he owns a yacht that he sails up and down the west coast.

Let us now zero in on cybersecurity. How has the transition from the read-only (inert, one-directional …) Web 1.0 to the participatory (interactive, social …) Web 2.0 influenced security?

At the beginning, attacks on the web followed the model used by computer viruses in the past, in that the goal for them was pranksterism or vandalism. Defacement or deletion of web sites was common, and as the mid-1990s brought an explosion of insecure PCs running Windows to the ‘net, network-aware worms flourished.  It wasn’t until the web became a platform for commerce with online stores, auctions and banking that criminals made the transition from simply destroying things to finding ways to exploit them for financial gain.

On a related note, how has the security of websites and web applications evolved over the years?

In the beginning, security was not a consideration at all, or treated as an afterthought, if at all. The way in how the web has changed to become a focus for communication, commerce, connectivity and even entertainment means that security has to be architected into everything as an integral part of planning any new product or service, and not only for itself, but for any dependencies on other software, service platforms and protocols.

One example of this is that many web sites now allow you to authenticate using credentials from popular social media services. But even if that authentication mechanism is secure, what happens when the web site’s implementation is not?

How resilient are web applications and servers to attacks ranging from DDoS to fuzzing? An attacker is going to make investments in targeting the weakest links (so to speak) in your architecture. If you are not carefully examining your website or application from the perspective of an attacker, you may be missing critical parts of the security equation for your service.

Browser-based attacks are effective and popular. What are the main security issues for web browsers?

The main security issue for web browsers is that they have, in some ways, supplanted the operating system and the applications which run on top of it in terms of threat targeting and attacks. When all of your work, your finances and, yes, even your social life in some way goes through the web browser, it becomes natural for attackers to examine it for ways in which they can exploit it. For a determined adversary, this means not just the web browser, but its ecosystem of plugins and extensions, the networks used for the web browser’s communications, and the servers at the other end.

Of the three, perhaps the networks carrying the traffic are the most difficult to secure, because unlike an application and its server, to which web developers can apply a secure modeling methodology and coding practices, the network connection is outside of their control. The web browser developer, on the other hand, has to account for the fact that any of these three might have their security bypassed, and still be able to provide some level of security—if only to notify the user that one or more portions of their web browsing experience are no longer secure.

What would make browsers less inviting targets and/or conduits for attacks?

Attackers are motivated by a number of reasons to target individuals and organizations, and a larger part of that targeting means looking for weaknesses in the tools used by the victims. In the case of the web browser, there is probably little chance of escaping that to use another program, but you can reduce the risk of victimization by using the latest web browsers and stripping them of unnecessary plugins and extensions. If a web service requires you to use an outdated web browser like Internet Explorer or plugins such as Adobe Flash or Oracle Java, look into replacing that service with one that is more secure.

What are your recommendations for making one’s browsing more secure?

The first step to browsing more securely is to make sure that the operating system it is installed on is up to date, because it makes no sense trying to secure the web browser if the operating itself is easily compromised. Make sure that the operating system and commonly-used applications have the latest updates and patches installed, and the computer is running reputable security software from a trusted source. Then, make sure that you have the latest version of your web browser(s) installed, and that any unnecessary extensions or plugins are disabled or removed in order to reduce the attack surface of the web browser via third-party code. For sites that require you to login with credentials, consider using 2FA of some sort to help mitigate the risk of password-reuse attacks.

Thank you, Aryeh! This concludes our series of interviews to mark the public debut of the World Wide Web project. For more insightful remarks, head over to our conversation with ESET’s Senior Research Fellow David Harley, while ESET’s Security Researcher Cameron Camp has provided his take in this interview.

Discussion