‘Never trust the browser’ is a mantra that all developers and security experts live by. Of course! In essence it’s an engine designed for remote code execution. What’s there to trust? But, imagine the possibilities if it could be transformed into a secure platform.
Living in a hostile world
Cyber attackers are constantly looking for, and finding, security weaknesses; program errors and other flaws in web browsers. Looking back at 2014, they proved to be very successful. To name just a few examples: SSL was hacked – twice; ‘Shellshock’ exposed a UNIX vulnerability and of course the Sony breach made global headlines.
Hackers exploit client-side systems to take control of computers, steal data, destroy files or even use your machine to attack other systems. And then there are software viruses or malware which can infect your computer. This is without mentioning the commercial extortion or phishing activities which are widespread.
But what about the users
Of course there’s web security! Firewalls, DNS, HTTS, digital signed public certificates and extended validation certificates to name but a few examples. They all have a role. But is it enough?
Most typical users are not tech savvy. Some users will just click a link with no thought; many don’t know how to secure their browsers and others won’t update as they’ve been told don’t download software if you don’t know what it is.
Despite the increasing security threats consumers continue to expect ease of use to be paramount. This can lead to functionality being put ahead of security requirements: perpetuating the dilemma. All in all, it’s a wonder why so many of us are constantly online. There has to be a better way.
Securing the point of interaction
Einstein rightly observed “we cannot solve our problems with the same thinking we used when we created them”. To start solving the web security problem we need to change the perception that the browser can’t be trusted. We need to secure the point of interaction – the web browser. It is possible!
Using a range of cloaking techniques you can ensure that any interaction – or business logic – happening via a web browser is protected. This includes
- Signing and verifying that the code running in a browser is the desired code
- Detecting whether the code has been tampered with and be able to take action
- Validating the application and/or server communication to prevent ‘Man in the Middle’
What’s more the security is embedded into the usability – consumers get security without having to do anything; businesses get certainty they can trust their customer. Consumers and businesses are finally able to have the service they want without comprise.
Still not convinced that this is possible? In my next blog posts I will take you through some industry specific examples to explain the concept in more detail.