[Cryptography] defaults, black boxes, APIs, and other engineering thoughts
Joe St Sauver
joe at oregon.uoregon.edu
Sun Jan 5 18:07:00 EST 2014
Hi,
Jerry commented:
#For what it's worth, I think Chrome is probably, across time, the most
#secure, because Google puts a huge amount of effort involving a really
#experienced team into making it so.
The Educause Technologies, Operations and Practicies (formerly Educause
Security Effective Practices) working group started an effort to make
recommendations that would help higher ed people improve the security
and privacy of their browser configs. I'd naively assumed that would
be a relatively straightforward task, but I've increasingly come to
appreciate just how subtle that objective actually was, even when it
comes to something as seemingly straightforward as choice of browser.
For example, you mentioned Chrome, a very popular browser. There's a lot
to like about Chrome, including the fact that it support TLS 1.2, and
the way it supports IPv6 (by way of contrast, Firefox still is stalled at
TLS 1.1, and even when network connectivity is dual stack, Firefox still
prefers IPv4 over IPv6). And there are many more features in Chrome that
are really great, too,
On the other hand, Chrome is produced by the Internet's largest and most
successful online marketing enterprise. Perhaps not surprisingly, at
least some have been critical of its user tracking provisions, and how
Chrome handles privacy issues (e.g., see for example
http://www.pcmag.com/article2/0,2817,2373860,00.asp , although I give
Google credit for doing a good Chrome Privacy white paper, *if* people
bother to read it, see
https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html ).
If you are ever feeling bored and/or paranoid, install Little Snitch on
a Mac and fire up Chrome. You'll be surprised at the amount of outbound
traffic you'll see that you didn't explicitly originate when you're
running Chrome in its default configuration.
What does this mean? Well, fundamentally, there may be tensions between
browser security and privacy, where emphasizing one may require
compromises when it comes to the other.
#I place some amount of trust in Safari, but that's a matter of
#statistics, not anything special about the code: People aren't
#attacking it as much. (Apple seems to have been getting ever
#more serious, but how far they've come is hard to judge.)
My concern with Safari starts with the fact that Safari on at least
some operating systems has been "orphaned" -- for example, Safari
for Windows has been frozen at 5.1.7, which is distressing if you
believe Safari releases since then have fixed important security-related
bugs. (See http://support.apple.com/downloads/#safari to see what
versions are available for various platforms)
We could also talk about IE, but in that case, there's no version
for Mac OS/X (which makes that a moot option when it comes to using
it in my case, unless I want to do something like run a Windows VM
for browsing purposes).
There is also Opera, but the scarcity of its adoption makes any user
using it "stand out from the crowd," which is the antithesis
of what a privacy and security-concerned user may want. (The same
can be said for all the other uncommon browser options)
Like I say -- choice of browser for the security *and* privacy
concerned users can be tough.
#I just don't see how they can possibly be made secure.
You need to break a *lot* of functionality, particularly if you want
a browser that is both secure *and* private. It's unclear to me that
anyone can produce a web browser configuration that is secure, AND
privacy preserving, AND still usable with modern/popular Alexa 100
class web sites. And if you do manage to do so, you'll be distinctly
ususual, and as such, you'll stand out from the normally-insecure
and normally-heavily-tracked average user.
(And if you look at https://panopticlick.eff.org/ , it quickly becomes
apparent that even if you block everything except things like
your routinely-reported system font string and other routinely
reported-by-default bits, you're still going to be all-too-easily
trackable)
#I do find fascinating the reaction to the never-ending series of
#security issues in Flash and Java. What people have learned from
#this is: Plugins are bad; Flash itself is bad.
Plugins are another example of a time when you need to make tough
choices. For example, in Firefox, there are terrific plugins that
do a nice job of blocking advertising (including potentially
malvertising), and others that do a nice job of blocking trackers,
and still others that reduce the risks associated with scripting,
etc.
Deciding that you're going to run zero plugins may thus (at least
in some cases) *decrease* your security and/or *increase* your
privacy exposure.
And when it comes to Flash, things like the integrated Chrome
Pepper Plugin architecture complicate Flash usage management
( https://support.google.com/chrome/answer/108086?hl=en )
#> * Same question, but for pdf files?
#I think we have the makings of an excellent context here: Pick
#one of these - PDF is probably the best choice - and ask for a
#secure implementation.
Again, decisions in some browsers (such as Chrome) to include an
integrated copy of Adobe PDF Reader (see
https://support.google.com/chrome/answer/1060734?hl=en ) complicates
any effort to manage PDF content processing, including deploying an
alternative PDF reader (such as Foxit Reader,
http://www.foxitsoftware.com/downloads/ )
Trying to secure the web browser, and attempting to increase user
privacy on the web, too, is a fascinating/challenging exercise.
Regards,
Joe
More information about the cryptography
mailing list