New web standards need improved browser security

Many of these specifications are reaching a point-of-no-return, according to the European Network and Information Security Agency (ENISA), so now is the time to think deeply about security before the standards are finalised rather than trying to patch them at a later date.

These standards include HTML5, cross-origin communication standards such as CORS, and standards for access to local data such as geo-location.

"This is a unique opportunity to build in security-by-design," said Giles Hogben, co-editor of an ENISA report on next-generation web standards that identifies 50 security threats and proposes how they should be addressed.

The threats include unprotected access to sensitive information, new ways to trigger form submission to attackers, problems in specifying and enforcing security policies, potential mismatches with operating system permission management, and new ways to escape access control mechanisms.

Web browser security is critical

ENISA claims the security review is vital in the light of the fact that almost every online activity now takes place in the browser, including managing critical infrastructures.

"The web browser is now one of the most security-critical components in our information infrastructure - an increasingly lucrative target for cyber attackers", said Udo Helmbrecht, executive director of ENISA.

The report notes that the volume of web-based attacks per day increased by 93% in 2010 compared with 2009 and the many complex threats as DDoS attacks using botnets rely on flaws in web browsers, which allow the installation of malware.

"Even if the root cause is elsewhere, the browser is often in a position to protect the user in combatting phishing, pharming, etc," says the report.

The Worldwide Web Consortium (W3C), which is currently working on major revisions to its core standards, has welcomed the security review by ENISA.

"We have encouraged ENISA to report the issues it has identified to the relevant W3C Working Groups," said Thomas Roessler, W3C security lead.

The ENISA report includes recommendations on controlling functionality, permission system design, user interface requirements, user policing, and the use of restricted contexts such as private browsing or sandboxes.

This story was first published by Computer Weekly

What’s Hot on Infosecurity Magazine?