Capping IT OffThe hyper corrective browser

Capping IT Off

Capping IT Off

The hyper corrective browser

8 Comments
Categories : Custom Software DevelopmentSecurity

I just had a discussion via Twitter about the desired behavior of browsers during an endless javascript loop (e.g. while(true){alert("test");}). One of my friends suggested that browsers should correct this kind of code. Browsers should do this in order to prevent endless loops that crash you browser or your operating system.

This really sounds horrible to me. Whenever I write code I would like to see it executed the way I wrote it, not the way I could have probably thought about it that it should work. If I write lousy code, let the browser crash, let my operating system crash and probably I will learn something of it. In the worst case even valid code could be corrected by the browser since it could match a pattern that is used to filter invalided code blocks. That would be a real developers nightmare: hyper correcting browsers that are adjusting valid code blocks combined with all current known specific browser quirks.

However this hyper correcting behavior could make the web even more insecure. Microsoft will probably implement some protection in Internet Explorer 8, at first sight this is pretty nice, however there are quite some (amateur) developers that 'test' their websites in only one browser. After testing it in e.g. Internet Explorer 8 it assumed save and published on the Internet. However when using a different browser XSS is still possible and the visitor can still be harmed by these kind of attacks.

With all these hyper corrections you will be in the end only safe on the Internet depending on what browser you use. This is incorrect you should always be safe on the Internet no matter what browser you use. The developer is responsible for the security /usability of his web page/ application, not the browser! The browser should only be supportive to visit and use this page / application.

About the author

Rick Mans
Rick Mans
View my profile View all my posts
8 Comments Leave a comment
Eric Lawrence:
If a web page can crash your operating system, that represents a massive failure on the part of the browser's security subsystem. Mobile code isn't like other code; it should never impact the system outside of the sandbox.
As for IE8's XSS filter, it's not like a web developer is likely to ever find an XSS hole unless they were looking for it, so IE8's XSS filter isn't going to mislead them in any way. Better still, IE's XSS filter will notify the user when such an attack is blocked, which lets the web developer understand that they have a security bug they need to fix if they do pen-test their sites using IE8.
rimans:
rimans's picture
Eric,
Thanks for your reply. The XSS filter indeed notifies the user that an attack was blocked. However as IE blocks this behavior it can trigger the mindset by non-professional developer that everything is fine, since IE helps blocking the issue.
This also relates to a question I have about these kind of solutions: which security issues should be solved in the browser and what issues are typical issues that can be solved outside the browser with e.g. other software. What is your opinion about this Eric?
Arnoud ten Hoedt:
The web is not about developers dreams and nightmares.
A webbrowser is all about user experience, not about displaying what a developer intended to display.
Although this sounds strange from the mouth of a webprogrammer, it does indeed display my distaste on the god-mode developers with a sole focus on their personal development pleasure.
Often combined with a strong feeling on standardisation. But on the end, that's not what the web's about. Without any one looking at it, your technology can be as perfect as can be, but little more.
Taking some power from the developer, which seldom has enough time on its hand to do a full PEN test, is a good practice. Regardless of the signal it sends to DIY developers about security.
Lee Provoost:
Perhaps we should have two modes for browsers: development/test mode and user mode. We develop in the first mode, users browse in the second...
rimans:
rimans's picture
@Arnoud, The webbrowser is about user experience, however I do not think the browser should determine what a good user experience is and what not. User experience should be defined by the creator of the webpage / application and the browser should only interpret this in a proper way. As soon as the browsers starts defining what their interpretation is of proper user experience, you can develop what you want, but you will probably end up in a standardized user experience that is completely defined by the browser. (the browser decides what is good for you).
I do not think you want that, you want your own unique non standardized user experience that fits that specific page/ application (the way the developer/ consultants meant it). Off course you would prefer some extra safety as user, however do you really want to be dependent on the browser and its version you are using?
@Lee
That would also be an option. However there are currently quite a bunch of plugins helping developers develop. Personally I would prefer a browser that focuses on its core function: interacting with text, images, videos, music and other information located on a web page or in a web application. And off course some nice user experience within the browser.
Gaurav:
Dont forget that browsers are used by millions of users who understand nothing about techinal details or security issues. At same time internet is so vast and unpoliced medium that there would always be some malicious developers. So may be there is nothing wrong if browser do few things 2 protect users.
albert kuiper:
The remark you make is interesting, if I place it in the context of services. The question then becomes to me:
- what layering of services do exist?
- what bahaviour do we expect from lower level services?
Instead of looking at a browser as a monolith, we could also look at it as a 'stack' just like the OSI-stack that performs the communicative function (even for what you are reading now).
By making more strickt distinctions like in OSI the dicsussion would maybe simplify.
My paradigm: With a background in telecoms, I am often surprised that the 'portal world' is stil a software world, not a services world. In a services world the intitial remarkt woruld not be neccessary, as this would not occur!
In a services world the implementes Services would indeed have a standardised behaviour. If a service is requested wrong, no result (aka a crash). But no 'intelligence' in a service, please, that would be the opposite of a service!
albert
rimans:
rimans's picture
Interesting comment Albert!

Leave a comment

Your email address will not be published. Required fields are marked *.