Sunday, May 15, 2022

An open appeal to major browser developers!

An open appeal to major browser developers!


     In several of my past blog posts which seem more like rants, I mentioned the latest and greatest advance in technology and the threat imposed by the advanced technology. Certain equipment exists, something like a fleet of micro-drones, that is capable of viewing, recording video and audio, screenshotting, whispering, replaying audio, mind-reading capabilities, simulating clicks, causing laser burns and sending electric pulses. This equipment is in the hands of the wrong people who have been misusing it for the past several years.

     In another blog post, I mentioned the problems with short URLs for sessions i.e sending an email with a URL containing an ID and retrieving user details based on the ID: Some security vulnerabilities in SalesForce.

     This morning while having coffee, I thought what if web browsers are designed to be secure by default? For example, instead of having millions of websites implement long ID's, what if web browsers show the domain and sub-domain part and don't show the rest of the URL by default? If the major 3 - 4 browser vendors make such changes, 90% of the netizens would be safer. The details of the implementation are provided below.

1) Don't show long ID's in the address bar. For example, https://subdomain.domain.com/webpage?id=1234567890, show only https://subdomain.domain.com to prevent phishing attacks.

2) If for any reason the user wants to see the full URL, display a reveal URL button, clicking the button would reveal the full URL.

3) Add a setting to change the default mode but make it secure by default i.e hiding the complete URL would be the default option.


Request - 2:

Another request is to lock web browser activity i.e any browser history, cookies, or session data should be securely stored on the disk and if the user starts the browser, some kind of MFA should be used to unlock the cookies and sessions. For example, requiring YubiKey MFA!



Request - 3:
This is in connection to Request - 2, Do not persist any session-specific information in plain text to the disk. Always encrypt session related information based on MFA to the disk. When the next browser session starts, if the user is unable to login into the browser by MFA, treat the browser like private mode browsing.

If the major web browser developers can implement the above features, we are securing 90% or more of netizens from the imminent threat.


An open appeal to major browser developers!

No comments:

Post a Comment

25% off sale & plans of Trustworthy and Responsible AI

25% off sale until 12/04/2024! This sale is for ThanksGiving, BlackFriday and CyberMonday sale. A minor update was done. This update had...