Wednesday, March 20, 2013

Web Security for everyone - Mandatory Web Browser Update

My battle to decommission support for old browsers has always faced a lot of resistance. Even though we know old browsers are buggy and insecure companies keep spending a big chunk of their web development effort just to please those that do not care about their own security. At the same time the users who do care about their security are navigating websites that are full of vulnerabilities due to "limited resources" and the impossibility to "invest more in security".

I believe it is just about time to simply check the browser of your users and stop them from navigating your website unless they upgrade their browsers. What Browser dot org is a nice page to provide awareness to your valuable customers. If your web users want to go to the competitor website which does support their old browser they should know they might be risking more than just staying in your website after upgrading their software. Most likely the competitor website hides in its deepest code some compromised bits which could be easily activated with just a simple User-Agent HTTP header change hand crafted by an attacker, even if the victim is using the latest version of the best available Web Client.

This is a win-win decision: The company saves money in R&D and security. The customer gets a safer and faster browser.

Why is this necessary upgrade taking so long? I see companies saying "Our IT department says that upgrading the browser across all machines will be painful", well, automate. I see others saying "We use third party websites which demand older versions of certain browsers", well, work with those providers and explain them they are compromising you! In the meanwhile use compatibility mode if available (mainly Internet Explorer). Or simply use one and only one box or environment (Make sure to name it RISKY, INSECURE or any other scary word) to interact with such compromised website. Do not expose *all* your users for *all* their web operations.

Make sure transparency makes accountable those who do not upgrade their systems. Do not join them, push them for a needed change!

In short show this to the proper people to make your statement:
  1. A search for Internet Explorer vulnerabilities reveals that the older the browser the more vulnerable it is.
  2. To support rich user experience developers will be tempted to support plugins like Adobe Flash but these plugins are constant target of attacks as we have seen with Java Applets for example.
  3. Some old UI software won't run unless you use IE6. IT managers will be tempted to keep these old browsers around. While modern versions of Internet Explorer could be used in backward compatibility mode, in some cases you might need to enable old browsers in less secure workstations. In general try to push the owners of these applications to upgrade them.
  4. Newer versions of browsers incorporate safer and faster algorithms enhancing the user experience. Some examples of it (but not limited to) is the support for TLS1.2 which would eliminate practically all known SSL/TLS weaknesses or the Forward Secrecy support which would make the user vulnerable to intruder future sniffing of their traffic.

No comments: