Over the years, technology experts have often stated that policymakers would irreparably break the web, if they got the chance. Jeremiah Grossm makes a strong case that the web needs to be broken, if we value our privacy. Most security and privacy issues exists due to the way browsers operate.

The ease with which a webmaster can find your full name, aim an attack on a website you are logged in to, or find your browsing history is astonishing. The huge range of technical abilities that have not been thought true in terms of impact on security and privacy is immense. However, fixing this is bad for market share and user experience according to browser vendors.

What’s Your Name?
You may think Facebook is invasive for your privacy, but they do not give away your name to random websites – or at least, not to my expectations. Nevertheless, this information is easily gained through the use of clickjacking.

Imagine Facebook’s like-button – or, Google’s plus one-button. If you were to click this on a website to like its Facebook page, the owner gets a notification that you liked his page, thereby giving your name away.

You Wouldn’t Click a Button, Would You?
Of course, you would not click the like-button of a shady website. This is where clickjacking comes in. By placing an invisible button over a link you want to click, an attacker gets you to perform an unwanted action, while you think you are merely visiting a normal link.

In case of the appreciate-button of a social network, this happens by making the frame containing the widget transparent and placing it over a normal link or button. This way, you are easily deceived in liking the adversary’s page.

Breaking the Web
One way of solving the issue of clickjacking once and for all is by forbidding remote frames, i.e. frames with content from a different domain, or at least transparent ones. However, this would make like-buttons and statistic collection much harder. For this reason, it is hard to get software developers on board.

The same goes for other issues. For example, why should it be acceptable to include content on an internal network in a public page? Apparently there are two or three esoteric websites for which this is necessary, thereby lowering security for others along the way.

Reinvent the Browser
Maybe it is time to take a step back. Many technologies we came up with in the past are not as secure as we hoped them to be. The question that remains is whether it is a bad idea to rebuild some of those techniques, for the sake of security and privacy. In the end, we can easily build a nice browsing experience that does not have so many fundamental problems.

Tagged with:
 

Leave a Reply

Your email address will not be published. Required fields are marked *