The new era of web applications has brought with it a host of new security challenges. Standing at the front of the security perimeter is the web browser through which application traffic now flows.
Browser and security vendors alike have been rushing to reduce the risks of web applications. One such vendor is Quarri Technologies with its Protect on Q solution. The basic idea behind Protect on Q is to provide web application owners with the ability to deliver secured, protected browser to end users.
In an exclusive interview with eSecurity Planet, Mark Elliot, founder of Quarri Technologies explains what the current browser threat landscape looks like and why HTML5 requires new security mitigations.
One of the new capabilities enabled by HTML5 is the WebSocket API for improved two-way communications. At the Black Hat USA 2012 event, security researchers identified WebSocketsas a possible security risk, though attacks in the wild are not commonplace, yet.
Elliot isn't taking chances and the Quarri solution is already ready.
"We can control the networking that happens within a protected browser," Elliot said.
He explained that the way his company's system works is as a sort of firewall that sits inside of the browser. Quarri then is able to verify that an inbound packet is allowed by policy, so a browser can only interact with a specific domain.
"So if a WebSocket attempts to go someplace or comes in from another place that isn't a whitelisted location it will be blocked," Elliot said.
In the pre-HTML5 era, cookies were typically leveraged as the primary means for storing small amounts of data locally. Cookies are limited to several kilobytes of data, in contrast HTML5 based webstorage can storage multiple Megabytes of offline data.
"The bottom line is that data, even if it was delivered over an SSL encrypted tunnel is now sitting on disk, "Elliot warned. "So realtime malware can grab it or even just another application on a machine can go and look at the data."
What the Quarri solution does to reduce the risk of HTML5 webstorage, is that it encrpyts anything that is written to disk from a protected browser. The only thing that has the symmetric encryption key is the browser itself. Elliot explained that what that means is that users get all the benefits of offline use or caching, without the risk of exposure at the endpoint.
In recent years, the risk of SSL exploitation has become a subject of concern. Multiple SSL Certificate Authorities (CA) including Diginotar in 2011have been exploited leaving browser potentially at risk.
In the modern SSL system, browsers rely on the integrity of the SSL CA. The Quarri solution avoids that potential weak point. Elliot explained that the way the Quarri solution works is that it is sold to vendors that wants to secure a high-assurance web application. Since the web application owner already is aware of the certificates they own, a protected browser can include a whitelisted set of SSL certificates as validated by the web application owner.
"That says to the protected browser, you can only do SSL with those (whitelisted) certificates," Elliot said. "So if the certificate store on the local machine has been poisoned or the end user has been socially engineered, they would be blocked."
When it comes to browser security, Elliot sees the biggest challenge as being end-user awareness.
"There are a lot of companies that think because they have that padlock their data is protected," Elliot said. "People are stealing the data over the wire, they are stealing it at the browser."
Watch the full video with Mark Elliot, founder of Quarri Technologies: