Skip to main content

Single-site browser

Read Jeremiah Grossman's post about "A Single-Site Browser’s impact on XSS, CSRF, and Clickjacking".  The benefits of using a Single-Site Browser are clear: reduced risk of XSS, CSRF and Clickjacking.  So, why isn't every bank in the world and every user of SSL-VPNs not deploying single-site browsers?

I'd say there are two reasons:  fear of customer support costs and a lack of additional benefits.

A long, long time ago, banks tried to get into the software business to lessen the power exerted by Quicken and Microsoft Money.  These efforts went as well as anyone outside of the banks expected.  Bad software that created tremendous support issues.  The banks remember this in their thick institutional heads.

However, as Grossman points out, banks are essentially doing this with Mobile applications right now.  The perceived benefits of having an iPhone and/or Android app and having a "mobile strategy" outweigh  the potential costs for them.   Part of the reduction in costs comes from the application store model.  Distribution is easy (well, same for downloading stuff over the Internet) and their are support mechanisms built-in (albeit minimal).  However, many users are now used to using the Internet for support, so offering a single-site browser with built-in links to forums etc would also be a low-cost option.  If banks offered support and interest, perhaps Mozilla would once revitalize their Prism project.  Imagine being able to enter in a set of parameters and an domain name and being able to build a single-site browser with the latest code.

On the benefits site, banks could use this platform to add security features.  Built-in two-factor authentication would be first on my list (needless to say).  The ability to do mutual https authentication using cryptography instead of pictures would be a big plus as well.  These two features would help to eliminate MiTM attacks and phishing.

Finally, if a bank has both a mobile client and a PC-based client, transaction authentication becomes much more practical:  any transaction made in one client can be validated in the other, increasing the required attack sophistication. (I know, we have already seen this is possible, but we should not let this stop us from making improvements.)

I still think the banks won't bite, so I'm calling on the SSL-VPN vendors to lead the way.  Their customers stand to benefit as well.  This is a great example of doing something that is so simple that would bring such great benefit.

Also, kudo's to Google for Chrome's ability to create an application short-cut.  This is how I access all my critical sites.

Current rating: 1

Recent Posts







RSS / Atom