26/09/2020 | Reading time: 4 minutes
Web browsers have come a long way since 1990. The first one to be conceived was called WorldWideWeb (not to be confused with the abstract information space) and quickly renamed to Nexus. It was developed by Sir Tim Berners-Lee and was made for FTP file sharing, limited streaming services and to access Bulletin Board Services.
This is what Nexus looked like in 1990 (Source)
What followed can only be defined as an explosion of the internet and web browsers. From Mosaic and Lynx in 1993, followed by Netscape Navigator in 1994, Opera in 1995 and then the Internet Explorer 1.0 in August 1995, these pieces of software quickly became an essential part of our lives. Netscape launched their browser saying:
“Available for all popular desktop environments, Netscape is a powerful commercial navigator for the Internet, offering point-and-click network navigation. It is optimized to run smoothly over 14.4 kilobit/second modems as well as higher bandwidth lines, delivering performance at least ten times that of other network browsers. Netscape provides a common feature set and graphical user interface across computers running the Microsoft Windows, Macintosh, or X Window System operating environments.”
They would go on to create the Mozilla Foundation which led to Firefox, Apple used Internet Explorer upto 2003, when it finally came up with Safari and Google jumped into the race with Chrome in 2008. What stands today is the result of repeated stages of evolution of the software. It became so important for these megacorps that it led to browser wars. Today, using them you can :
- Retrieve + Render content from the web and display it. This includes sophisticated web pages, pictures, streaming media and document formats like PDFs.
- Administer accounts, embedded systems or even web servers remotely.
- Create content with a number of services like Google Drive, Adobe Creative Cloud or Microsoft Office 365. These even do away with the need to store user data on your HDD and use the Cloud.
In 2020, an estimated 4.8 Billion people are internet users. With widespread use like this, common sense dictates that browsers would be a natural target for attackers. Therefore, it is imperative that we work on securing them. Below is a bird’s eye view of the threat models they mitigate and address (Keep in mind, these are brief summaries and not intended to be a result of thorough academic research)
Threats to web browsers can come from a variety of sources. As an example, it can either be an unreliable addon or use of same origin policies. The former extend your browser’s functionality in a number of ways. However, carefully crafted attacks on vulnerable addons could result in an attack on your system. The attacker could gain unauthorized access to sensitive information.
On the other hand, violating the same-origin policy involves the web content violating access-control policies enforced by your browser. These separate content of different domains. It has been said that numerous incoherencies in access control policies still exist.
Some more examples would be session hijacking, cross-site scripting (XSS) and Cross-Site Request Forgery (CSRF). It should be noted that sometimes these are due to server security problems - modern browsers should be equipped to detect them nonetheless. Most modern browsers support adequate sandboxing of browser tabs as well - as these can lead to content leakage.
Do we take these for granted?
There’s a lot going under the hood that protects you when you’re online. We’ll briefly go over some basic security requirements which ought to be fulfilled by each modern web browser:
User Data Protection: Done by essentially separating local and session storage. Your browser does this based on protocols, domains and ports. Making sure each session’s storage is accessible only from the originating window or tab and gets deleted once it closes.
Provide an option for Cookie Blocking: Referring to third party cookies.
Sandboxing rendering processes: There are certain restrictions that the browser must adhere to while it is rendering a web page or an application on your computer. For example - the process should only access part of the file system which is dedicated to your browser. It should also have reduced privileges with respect to other browser processes.
Same Origin Policy : This one’s really important. It means that your browser only permits scripts contained in a web page to access data in another web page iff both these pages are from the same origin.
Secure cookies over HTTPS: It is your browser’s responsibility to make sure that cookies containing a “secure” attribute in the header are sent over the HTTPS protocol.
Alert the user if they’re being tracked: Certain websites or PWAs require access to your geolocation, microphone, camera or browser preferences. You should always be informed if that’s the case.
Preventing automatic file executions: It makes sure no downloaded content is launched automatically. It also gives you an option to either save or discard downloaded files. [Note: this doesn’t include any mobile code, scripts, or add-ons]
Preventing loading of unsigned code: Your browser provides you with the option to discard unsigned, untrusted or unverified mobile code. These include ActiveX, (the now depreciated) Flash or Java.
Verifying addons: Your browser makes sure it can cryptographically verify extensions you download from the web store. Piggybacking on this point, it prevents automatic installation of add-ons (remember that small pop-up confirmation before installing a new extension)?
Despite so many security measures in place, we often read about creative ways nefarious attackers use to find loopholes. The modern web browser has come a long way and is capable of so much more now. You, being a developer, know more about this than anyone else. The web is not perfect, neither are the browsers. Yet it’s nice to stop once in a while to appreciate the hard work that has gone into these wonderful pieces of software.
ps: If you hated reading this, tag me on twitter and rant (okay, well maybe a little politely?)