virtual browser

A few months ago, Checkpoint/ZoneAlarm launched ForceField, a “Virtualized Browser Security” solution. When you look at the product description, you can read:

“ZoneAlarm ForceField provides a protective layer around your browser, shielding you from drive-by downloads, browser exploits, phishing attempts, spyware and keyloggers. So your passwords, your confidential information, and your financial data remain protected“. ZoneAlarm then asserts that ”Nothing else protects you like ZoneAlarm ForceField“….

This seems very promising and could be a very good answer to the multiple browser security issues. But then comes the reality… maybe you’ve already read this excellent article from Infoworld that explains that Robert Grimes needed only 60 seconds to bypass ForceField protection. In fact, this is not really surprising; it was already the case when the same Grimes tested GreenBorder (bought by Google) a few years ago. This is not really surprising because it’s not the implementation of the “sandbox” technology which failed but the concept itself of using a sandbox to protect the web browser. Moreover, the experts at Checkpoint/ZoneAlarm themselves admit: for optimum security, you have to use an updated and secured underlying system !!! Where is the virtualization ? This type of product is just one more security layer you have to install and manage on the user workstation…

What’s the solution ? A REAL virtual browser, REALLY executing in a distinct environment, which doesn’t need an updated and secured underlying system to provide a ”stress-free Internet” experience.

I’m not a big fan of analogies. As a marketing guy I admit they are useful to explain some ideas that often, in our technical environment, are hard to understand for those not familiar with IT. But on the other hand, analogies are limited as soon as they over-simplify concepts that also take their strength from technology’s complexity. Whatever, because commonIT is born from an innovation that could interest everybody… I’ll attempt an analogy :

In Lyon, near commonIT’s headquarters, a unique centre named IWAY has been opened. There, you can try Formula 1 driving in a simulator so realistic even professional drivers were amazed. The analogy with commonIT and our product Virtual Browser is interesting. Imagine you drive a Formula 1 car in a simulator so realistic that everything is just like on a real track: you reach the same speed, feel the same sensations, use the same technologies and the same security mechanisms… But if you crash you do not risk anything. Replace the track with Internet, the Formula 1 car with your web browser, the crash with a computer virus and you get the Virtual Browser concept: the certainty that data and applications can’t be compromised even if an attack occurs.

Among the huge number of discussions that led to the founding of commonIT, a key one took place between Daniel and I when monitoring the growth of the Web 2.0 phenomenon that, with its many benefits introduced whole new families of threats. P2P, IM, Social Networking etc. Each service has the same problem: data and users are connected to complex applications that security products are not able to analyze in depth. No security solution is 100% effective. Every vendor will confirm that. And that’s the point. Because of the exponential growth of new Internet services, security products need big investments for incremental results. During this discussion with Daniel, we tried to think differently from the way our industry has traditionally operated: Instead of adding new software (antivirus, antispam, antispyware, antiphishing, antiwhatever, increasing the load on security appliances or users’ devices, impacting performance with less and less effective security functions) we challenged security product architectures themselves. We wondered how it could be possible to create a product that guarantees, in its architecture, 100% security for data and web applications.

Later (and about 10 years after he designed an architecture later baptised UTM – Unified Threat Management by IDC), Daniel invented Virtual Browser, a “secured by design” product. Virtual Browser is a web browser which executes web code on a secured server instead of running it on the laptop/desktop PC, only the image and the sound of the web application reach the user’s device. Thanks to this architecture, even if an attack is not stopped by the high level security system, data, applications and the whole network can’t be compromised.

When you are connected to Internet, your browser will automatically, or on your request, download web pages, photos or videos. This is what has made the Web successful and that Web 2.0 sites use extensively to provide the best possible user experience.

But one can legitimately wonder if the browser is not too credulous in following all that links. If a Chinese website contains links to your Intranet images or includes a part of your bank website, your web browser will not be bothered. And you ?

In the cat-and-mouse game opposing hackers and security researchers to developers, the advantage is more than ever with the cats. As the Web is more and more used, especially for business, important security vulnerabilities are still present :

• XSS (Cross-Site Scripting) : A vulnerability in a website which can be used to execute remote code by bypassing the ‘same origin policy‘ protection. This can be used to steal the user’s session cookies.
• CSRF (Cross-Site Request Forgery) : A lack of control in a website which can be used to execute actions (send email, password modification, …) on authenticated websites without any action of the user. A few weeks ago, a study revealed that some major websites still have CSRF vulnerabilities. Among them, the website of INGDirect could be used to transfer money…
• Clickjacking : (Recent) technique where an authenticated website is loaded in the background of a page and the user is fooled to click in the authenticated website. This can be used to fool the user to do some actions. A demo can be seen here.
• Intranet scanning : Usage of Javascript (or not) for scanning servers located on the private network. This can be used to identify software and services and interact with them.
• DNS rebinding : Exploitation of the DNS protocol which can be used to circumvent the ‘same origin policy‘ protection and execute remote code on an authenticated website.

It is often recommended to connect to a website with sensitive information only from a browser with no other open windows or tabs. But who really restarts their browser before connecting to the bank’s website ? Who never browses with a tab open on the corporate Intranet or webmail ?

Aware of these problems, I have spent a long time thinking about how to easily partition browsing sessions using trust levels. It is normal that my Intranet contains links to Internet, but it is not normal that an external website contains a link to my Intranet. In a previous life, I successfully implemented this kind of filtering at the perimeter level (firewall) but HTTPS and Javascript are easy ways to circumvent that. The only way to filter effectively is to do it directly in the browser.

With the creation of commonIT, I have tried to introduce the concept of session-partitioning in the core of the Virtual Browser product. With the virtualization of the browser, session-partitioning and mobility, Virtual Browser is an effective and inovative solution for secure browsing.