[Cryptography] defaults, black boxes, APIs, and other engineering thoughts

Joe St Sauver joe at oregon.uoregon.edu
Sun Jan 5 18:07:00 EST 2014 

Hi,

Jerry commented:

#For what it's worth, I think Chrome is probably, across time, the most 
#secure, because Google puts a huge amount of effort involving a really 
#experienced team into making it so.

The Educause Technologies, Operations and Practicies (formerly Educause
Security Effective Practices) working group started an effort to make
recommendations that would help higher ed people improve the security 
and privacy of their browser configs. I'd naively assumed that would 
be a relatively straightforward task, but I've increasingly come to 
appreciate just how subtle that objective actually was, even when it 
comes to something as seemingly straightforward as choice of browser.

For example, you mentioned Chrome, a very popular browser. There's a lot
to like about Chrome, including the fact that it support TLS 1.2, and 
the way it supports IPv6 (by way of contrast, Firefox still is stalled at
TLS 1.1, and even when network connectivity is dual stack, Firefox still 
prefers IPv4 over IPv6). And there are many more features in Chrome that
are really great, too,

On the other hand, Chrome is produced by the Internet's largest and most
successful online marketing enterprise. Perhaps not surprisingly, at 
least some have been critical of its user tracking provisions, and how 
Chrome handles privacy issues (e.g., see for example 
http://www.pcmag.com/article2/0,2817,2373860,00.asp , although I give 
Google credit for doing a good Chrome Privacy white paper, *if* people 
bother to read it, see
https://www.google.com/intl/en/chrome/browser/privacy/whitepaper.html ).

If you are ever feeling bored and/or paranoid, install Little Snitch on 
a Mac and fire up Chrome. You'll be surprised at the amount of outbound
traffic you'll see that you didn't explicitly originate when you're 
running Chrome in its default configuration.

What does this mean? Well, fundamentally, there may be tensions between 
browser security and privacy, where emphasizing one may require 
compromises when it comes to the other. 

#I place some amount of trust in Safari, but that's a matter of 
#statistics, not anything special about the code:  People aren't 
#attacking it as much.  (Apple seems to have been getting ever 
#more serious, but how far they've come is hard to judge.)

My concern with Safari starts with the fact that Safari on at least
some operating systems has been "orphaned" -- for example, Safari
for Windows has been frozen at 5.1.7, which is distressing if you
believe Safari releases since then have fixed important security-related 
bugs. (See http://support.apple.com/downloads/#safari to see what
versions are available for various platforms)

We could also talk about IE, but in that case, there's no version 
for Mac OS/X (which makes that a moot option when it comes to using
it in my case, unless I want to do something like run a Windows VM
for browsing purposes).

There is also Opera, but the scarcity of its adoption makes any user 
using it "stand out from the crowd," which is the antithesis
of what a privacy and security-concerned user may want. (The same
can be said for all the other uncommon browser options)

Like I say -- choice of browser for the security *and* privacy 
concerned users can be tough.
 
#I just don't see how they can possibly be made secure.

You need to break a *lot* of functionality, particularly if you want
a browser that is both secure *and* private. It's unclear to me that
anyone can produce a web browser configuration that is secure, AND
privacy preserving, AND still usable with modern/popular Alexa 100
class web sites. And if you do manage to do so, you'll be distinctly 
ususual, and as such, you'll stand out from the normally-insecure 
and normally-heavily-tracked average user.

(And if you look at https://panopticlick.eff.org/ , it quickly becomes
apparent that even if you block everything except things like 
your routinely-reported system font string and other routinely
reported-by-default bits, you're still going to be all-too-easily 
trackable)

#I do find fascinating the reaction to the never-ending series of 
#security issues in Flash and Java.  What people have learned from 
#this is:  Plugins are bad; Flash itself is bad.  

Plugins are another example of a time when you need to make tough
choices. For example, in Firefox, there are terrific plugins that
do a nice job of blocking advertising (including potentially 
malvertising), and others that do a nice job of blocking trackers,
and still others that reduce the risks associated with scripting,
etc.

Deciding that you're going to run zero plugins may thus (at least 
in some cases) *decrease* your security and/or *increase* your 
privacy exposure.

And when it comes to Flash, things like the integrated Chrome 
Pepper Plugin architecture complicate Flash usage management
( https://support.google.com/chrome/answer/108086?hl=en )

#> * Same question, but for pdf files?
#I think we have the makings of an excellent context here:  Pick 
#one of these - PDF is probably the best choice - and ask for a 
#secure implementation.  

Again, decisions in some browsers (such as Chrome) to include an
integrated copy of Adobe PDF Reader (see 
https://support.google.com/chrome/answer/1060734?hl=en ) complicates 
any effort to manage PDF content processing, including deploying an 
alternative PDF reader (such as Foxit Reader, 
http://www.foxitsoftware.com/downloads/ )

Trying to secure the web browser, and attempting to increase user 
privacy on the web, too, is a fascinating/challenging exercise.

Regards,

Joe

More information about the cryptography mailing list