back to article Gotta have standards? Security boffins not API about bloated browsers

The W3C introduces API standards that end up mostly unused, doing nothing more than loading up the code base with vulnerabilities. That's the conclusion of a paper by University of Illinois, Chicago researchers to be presented next week at the ACM's Conference on Computer and Communications Security in Dallas. Chrome 56 …

  1. Charles 9

    How about a push away from an interactive Web that are probably behind most of the exploits and vulnerabilities. Now, perhaps a little information is needed, but they should be in overly broad terms, like if it's a desktop or a phone since that can have significant effects on readability. But anything that doesn't have a significant make-or-break effect should not be considered important enough to include.

    Leave interactivity to protocols meant for it like VNC.

  2. Anonymous Coward
    Devil

    From being a window on the world...

    ... to a windows to snoop on you. That what browsers became.

    I would like a neutered one unable to do anything but showing web pages. A real "browser", not some kind of satanic application trying to steal my soul....

    1. Dan 55 Silver badge

      Re: From being a window on the world...

      Explorer integration looks positively tame now. This hands over hardware control on a plate.

    2. Anonymous Coward
      Anonymous Coward

      Re: From being a window on the world...

      "I would like a neutered one unable to do anything but showing web pages. A real "browser", not some kind of satanic application trying to steal my soul...."

      Got some old PCW 'coasters' somewhere... bound to be one with Netscape on it (or even AOL and CompuServe 3.5" floppies)

    3. handleoclast

      Re: From being a window on the world...

      Such a browser exists. It's a bit minimalist, though. It's called Lynx.

      Lynx doesn't do JavaScript or DOM fiddling. But that's probably what you want to keep your soul safe.

      One good thing about Lynx is it's a great content filter. If a website is incomprehensible in Lynx the chances are it's not worth looking at (for small values of "not worth looking at").

  3. Ottman001

    These features are useful to someone but having them available to any script on a page is obviously increasing the attack area available.

    There should be some way to turn on APIs that can't be done in code. For instance, add tags within the head of a HTML document that first switch off all APIs (we always have to think of backwards compatibility) and then list the APIs required by the page.

    1. Anonymous Coward
      Anonymous Coward

      You don't need that. The standards and/or browsers define which apis are sensitive request permission whenever they are called anyway.

      If you go to a page that wants your location for instance you will have to confirm (once/always for this site) whether you want to allow it.

      The key is whether the APIs are vulnerable or the APIs can be mishandled. Having a look at the light sensor examples I struggle to see much of a security risk based on those examples for instance (the history grabber can be done through CSS much easier). Activating the vibrate 'feature' is just a pain as it's normally dodgy ads that make use of it to try to 'attract' your attention to let you know that you are infected with 1678 viruses.

      It's all about the adoption of mobile web and away from native apps. The biggest reason for native apps has always been the access to hardware. Access to these APIs allows a developer to create web apps instead and not rely on downloads, installs and wrappers. They aren't really designed for 'normal' websites so much.

      1. Charles 9

        "It's all about the adoption of mobile web and away from native apps. The biggest reason for native apps has always been the access to hardware. Access to these APIs allows a developer to create web apps instead and not rely on downloads, installs and wrappers. They aren't really designed for 'normal' websites so much."

        Which again feels like cramming a square peg into a round hole. After all, didn't we try this with Java? Why not make it simpler to create multiplatform native apps? What makes the Web so useful over things like Java anyway?

      2. find users who cut cat tail

        Even if the browser asks for confirmation and I say no and that is what happens, these APIs increase the attack surface -- for no good reason. The corresponding code should not be there at all.

      3. Ottman001

        I am well aware that some APIs still require user permission. You have missed the point, AC.

        The point is that having all these APIs is like including every possible dependancy in an application unnecessarily. It really is a first principal of secure design to eliminate functionality that is not needed. Like closing ports in a firewall even if there is no service listening on it or running an application with the fewest permissions, you DO disable capabilities that aren't even used. A system with a vulnerability is one that is capable of being used in ways you didn't expect.

        1. Anonymous Coward
          Anonymous Coward

          "It really is a first principle of secure design to eliminate functionality that is not needed."

          But you have more choice for a browser than you could ever need, so you can choose a browser with as limited feature set as you require, even down to using Lynx. So if you really believe that you wish to be as secure as possible with as small a code-base as possible then choose another browser, it really is that easy.

          1. Charles 9

            Except that the web designers don't code for the least common multiple in mind. Meaning trying to use Lynx or some other simple-minded browser is an exercise in trying to drink sludge. Not even the damn Freenet frontend seems to appreciate an honest attempt to limit the attack surface and expects features that probably should never have seen the light of day.

            IOW, the ONLY way to get things done, it seems, is to overly expose oneself to danger. Do we really want this?

          2. Ottman001

            At AC, you seem to think it is entirely the users responsibility to keep themselves safe, even from unknown attacks. I disagree entirely. Users taking measures to protect themselves is always a good thing but your example is extreme to the ridiculous.

            It is my viewpoint, as a software engineer developing using web technologies, that it is the responsibility of people like me to do everything they can to eliminate even the possibility of unexpected attacks. My suggestion would greatly help that goal.

            The suggestion can be improved with an additional attribute in script tags to revoke API permissions. Third party adverts script? Vibrate off, XHR off, Bluetooth off, USB off, file system off, locations services off, camera access off, etc.

            1. Charles 9

              "The suggestion can be improved with an additional attribute in script tags to revoke API permissions. Third party adverts script? Vibrate off, XHR off, Bluetooth off, USB off, file system off, locations services off, camera access off, etc."

              The big thing is that browsers can just ignore them, probably because users (who don't know better) demand the browsers have more holes than a wheel of Emmentaler. Plus third parties can probably just disguise their scripts or otherwise find ways to get more permissions than they should.

              The REAL real solution is to simply not offer them, in spite of user protests, because it's too much a security risk. Users are demanding too much of their browsers and are essentially opening themselves up to trouble. JavaScript, extensions, and interactivity in general opened a real Pandora's Box IMO, because it opened a back channel, and that's where the trouble really started.

              1. Ottman001

                @Charles 9,

                "The REAL real solution is to simply not offer them"

                Mostly we're talking about features that should never have been permissible on the open web. Applications based on web technologies may well need these features but the web does not. It would be good to constrain these features to the particular environments to which they're suited.

                But now it's a bit too late. Any suggestion to break back compatibility won't get very far so with that in mind, I was suggesting a practical way forward.

                Allowing the developer to select which liabilitiesAPIs their application can use is still a good idea for all environments.

                1. Charles 9

                  No, because it STILL means the browser has to support ALL of them, in case a web app asks for it, and the mere existence of this support means it can be abused and even exploited. It's basically all or nothing.

  4. Anonymous Coward
    Boffin

    Old man shouts at cloud

    Bring back Gopher!

    1. Dan 55 Silver badge
      Headmaster

      Re: Old man shouts at cloud

      It never went away.

  5. deive

    Surprise surprise; new features have more bugs than old features???

    Sure all the new standards could be removed... then the websites that use them would go back to proprietary standards such as flash and f**king silverlight.

    1. Charles 9

      Why not switch to standards they were meant to use? Why cram interactivity onto a protocol designed for passive reading instead of using something designed for the job like VNC?

      1. sabroni Silver badge

        The apis are accessed from JavaScript, not html. It's a language not a protocol. Yes, the attack surface is made larger by these apis. However, all these features are available to native apps too. Why is downloading an executable less risky than downloading a script that runs in a browser?

        This is only half a report as it doesn't compare browser usage of these apis to native app usage of them and the associated risks.

        1. Charles 9

          Because each separate apps only has the permissions it actually uses instead of the browser being forced to have all of them at once and becoming more an OS unto itself.

  6. Daniel von Asmuth
    Paris Hilton

    The world needs a meta-standard

    We need a meta-standard like a constitution so W3C knows what standards to decree, as if XML, Unicode, ASCII, XHTML, TCP/IP, DNS, and HTTP are not enough....

    1. alisonken1

      Obligatory XKCD on meta-standards ...

      https://xkcd.com/927/

  7. Christian Berger

    There is a political decision behind this

    All of our current browsers are made by companies, some by for profit ones, some by non profit ones. All want to maximise depencendy on them. If you had a browser which just worked and was bug free, you'd never upgrade. Eventually you end up like GnuPG which is finished, yet there is a small company behind it wanting to earn money.

    So every player in the field has an interrest in there being more and more standards. Every new standard means that users will have to update. Every new standard raises the entrance level for new competitors. So every new standard is good for the already existing browser companies.

    1. Charles 9

      Re: There is a political decision behind this

      IOW, every browser maker wants to be like Google, where they can actually make the browser INTO the OS itself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like