Browser Security

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Browsers run on user's device but essentially all content comes from sites that the user may not know or Trust.

Context

There has been an ongoing effort to make Progressive Web Apps have all of the functionality of a native app that the user has chosen to install on their computing device.

Problems

From a the point of view of security of user's devices as well as external content the following issues have been noted.

  1. Nearly all JavaScripts (as well as web assembly) are provided by web sites and must be considered to be hostile to user's security.
  2. Smartphone o/s generally support strong cross site protections. PCs not so much.
  3. The WICG (Web Incubation Community Group) as well as other W3C groups are actively expanding the capability of code supplied by web sites and run as a part of the browser.
  4. The capability of the user's device to support Artificial Intelligence is expected to grow exponentially starting with 2023.
  5. The ability of web loaded code to determine user behaviors and secrets via scraping and side channel attacks will grow with AI.
    1. The ability for AI to convert screen displays into text is one such attack.
    2. Other site's proprietary content is also subject to attack, which might have contractual relationships with the user.
  6. As more browser features, like JavaScript capabilities, are determined to be subject to attacks, browsers that are sensitive to user security will block the features and web sites will start failing unexpectedly on some browsers and some devices.
  7. As o/s's become more accommodating to user security, sites that use some innovations will start to fail after o/s updates.

Solutions

  • Enterprise mobile device management can be enforced on Smartphones provided to employees, but there will be resistance to such intrusive control of devices that are privately owned, or owned by another Enterprise.
  • While the "Free" browsers that are used by most people have some level of security, Enterprise level secure needs to demand a Secure Browser that will enforce a greater level of security as needed for valuable Enterprise proprietary information.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Browser_Security&oldid=20557"