Do you trust your browser ?

When you are connected to Internet, your browser will automatically, or on your request, download web pages, photos or videos. This is what has made the Web successful and that Web 2.0 sites use extensively to provide the best possible user experience.

But one can legitimately wonder if the browser is not too credulous in following all that links. If a Chinese website contains links to your Intranet images or includes a part of your bank website, your web browser will not be bothered. And you ?

In the cat-and-mouse game opposing hackers and security researchers to developers, the advantage is more than ever with the cats. As the Web is more and more used, especially for business, important security vulnerabilities are still present :

• XSS (Cross-Site Scripting) : A vulnerability in a website which can be used to execute remote code by bypassing the ‘same origin policy‘ protection. This can be used to steal the user’s session cookies.
• CSRF (Cross-Site Request Forgery) : A lack of control in a website which can be used to execute actions (send email, password modification, …) on authenticated websites without any action of the user. A few weeks ago, a study revealed that some major websites still have CSRF vulnerabilities. Among them, the website of INGDirect could be used to transfer money…
• Clickjacking : (Recent) technique where an authenticated website is loaded in the background of a page and the user is fooled to click in the authenticated website. This can be used to fool the user to do some actions. A demo can be seen here.
• Intranet scanning : Usage of Javascript (or not) for scanning servers located on the private network. This can be used to identify software and services and interact with them.
• DNS rebinding : Exploitation of the DNS protocol which can be used to circumvent the ‘same origin policy‘ protection and execute remote code on an authenticated website.

It is often recommended to connect to a website with sensitive information only from a browser with no other open windows or tabs. But who really restarts their browser before connecting to the bank’s website ? Who never browses with a tab open on the corporate Intranet or webmail ?

Aware of these problems, I have spent a long time thinking about how to easily partition browsing sessions using trust levels. It is normal that my Intranet contains links to Internet, but it is not normal that an external website contains a link to my Intranet. In a previous life, I successfully implemented this kind of filtering at the perimeter level (firewall) but HTTPS and Javascript are easy ways to circumvent that. The only way to filter effectively is to do it directly in the browser.

With the creation of commonIT, I have tried to introduce the concept of session-partitioning in the core of the Virtual Browser product. With the virtualization of the browser, session-partitioning and mobility, Virtual Browser is an effective and inovative solution for secure browsing.