Difference between revisions of "Trusted Browser"
From MgmtWiki
(→References) |
(→Problems) |
||
(17 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Full Title or Meme== | ==Full Title or Meme== | ||
The best [[User Agent]] on an internet connected device is a [[User]] [[Trusted Browser]] to work only in the user's best interests. | The best [[User Agent]] on an internet connected device is a [[User]] [[Trusted Browser]] to work only in the user's best interests. | ||
+ | |||
+ | ==Context== | ||
+ | Currently nearly all HTTP traffic is initialized by 4 browsers, all of which are tracked within the [blink-dev@chromium.org blink dev community]. The primary source code repos are chromium (Google) and web-kit (Apple). | ||
+ | |||
+ | ==Problems== | ||
+ | * The [[User Agent]] string provided by the browser in the HTTP header is used now simply to give the web server information on what sort of HTML it can process. It is routinely spoofed and has no security capability what-so-ever. | ||
+ | * Any user agents come with the ability to add extensions, which can [https://news.wisc.edu/from-to-ezacces-your-browser-extension-could-grab-your-password-and-sensitive-info/ compromise any security guarantee] provided by the developers. | ||
+ | * The makers of [[Smart Phone]] browsers are working to improve the security of the browser experience, details are shown in the following section. | ||
==Solutions== | ==Solutions== | ||
+ | *Same-site policy has been added and slowly enhanced to block cross-site scripting attacks (CSRF or XSRF) by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain. [https://caniuse.com/#feat=same-site-cookie-attribute This site] describes the varying impact that this policy has on users on the various browsers. The challenge for [Single Sign On]] efforts with a [[Identifier or Attribute Provider]] at a different site than the [[Relying Party]] is that they rely on cross-site cookies to pass user credentials from one site to another. The problem introduced with iOS 12 from Apple is described on [https://github.com/IdentityServer/IdentityServer4/issues/2595 this site.] | ||
+ | |||
The following proposals are being evaluated: | The following proposals are being evaluated: | ||
*New browser based on Blink | *New browser based on Blink | ||
− | *Browser extension | + | *Align with some existing browser that want to be considered the best |
− | *Read | + | *Browser extensions can add features, but then are within the trust boundary. Then they are [https://news.wisc.edu/from-to-ezacces-your-browser-extension-could-grab-your-password-and-sensitive-info/ part of the problem.] |
+ | *Read every image on the page to see if it should be considered a trust-mark | ||
*New element, tag on img (attribute or method) | *New element, tag on img (attribute or method) | ||
− | |||
==References== | ==References== | ||
+ | * See the wiki pages for: [[Browser]], [[User Agent]] and [[Identifier use in Browsers]]. | ||
*OWASP | *OWASP | ||
*[https://safebrowsing.google.com/ Safe Browsing (Google)] | *[https://safebrowsing.google.com/ Safe Browsing (Google)] | ||
*[https://www.trustedreviews.com/guide/best-web-browser Best Web Browser: 6 web browsers tested for features, privacy and battery life] | *[https://www.trustedreviews.com/guide/best-web-browser Best Web Browser: 6 web browsers tested for features, privacy and battery life] | ||
*[https://www.techworld.com/security/best-8-secure-browsers-3246550/ The best secure browsers 2018 (Tech World)] | *[https://www.techworld.com/security/best-8-secure-browsers-3246550/ The best secure browsers 2018 (Tech World)] | ||
+ | |||
+ | ==References== | ||
+ | |||
+ | [[Category: Glossary]] | ||
+ | [[Category: Trust]] | ||
+ | [[Category: Browser]] | ||
+ | [[Category: User Agent]] |
Latest revision as of 10:50, 6 November 2023
Full Title or Meme
The best User Agent on an internet connected device is a User Trusted Browser to work only in the user's best interests.
Context
Currently nearly all HTTP traffic is initialized by 4 browsers, all of which are tracked within the [blink-dev@chromium.org blink dev community]. The primary source code repos are chromium (Google) and web-kit (Apple).
Problems
- The User Agent string provided by the browser in the HTTP header is used now simply to give the web server information on what sort of HTML it can process. It is routinely spoofed and has no security capability what-so-ever.
- Any user agents come with the ability to add extensions, which can compromise any security guarantee provided by the developers.
- The makers of Smart Phone browsers are working to improve the security of the browser experience, details are shown in the following section.
Solutions
- Same-site policy has been added and slowly enhanced to block cross-site scripting attacks (CSRF or XSRF) by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain. This site describes the varying impact that this policy has on users on the various browsers. The challenge for [Single Sign On]] efforts with a Identifier or Attribute Provider at a different site than the Relying Party is that they rely on cross-site cookies to pass user credentials from one site to another. The problem introduced with iOS 12 from Apple is described on this site.
The following proposals are being evaluated:
- New browser based on Blink
- Align with some existing browser that want to be considered the best
- Browser extensions can add features, but then are within the trust boundary. Then they are part of the problem.
- Read every image on the page to see if it should be considered a trust-mark
- New element, tag on img (attribute or method)
References
- See the wiki pages for: Browser, User Agent and Identifier use in Browsers.
- OWASP
- Safe Browsing (Google)
- Best Web Browser: 6 web browsers tested for features, privacy and battery life
- The best secure browsers 2018 (Tech World)