All too often, end users are a weak link in the Internet security chain. Thus there’s a fundamental flaw in the traditional security approach to Web interaction, which asks users to ensure a secure browser is being used.
Quarri Technologies hopes to improve upon this model with its Quarri Protect on Q (POQ) 3.0 solution. Released today, it provides a server-centric approach to delivering secure browsing capabilities to users. With the update, the POQ solution now includes traditional desktop as well as mobile delivery mechanisms for both Android and iOS users.
“The way the product works in the Windows world is that we deliver a protected browser when a user visits a site that implements our technology,” said Mark Elliot, founder of Quarri Technologies. “We do it completely on the fly with an ephemeral agent that exits when the session is over.”
The website owner sends the protected browser down to the user, Elliot explained. The user’s initial interaction with the site can come from any browser, including Firefox, Chrome, Opera and Internet Explorer, and then the protected browser is triggered.
“On the fly, typically within five to seven seconds, we deliver the protected browser instance where the behavior is controlled by the site policy,” Elliot said. “The user can have additional browser sessions open, but if they want to access the Web application that is protected by us, it has to be via the protected browser.”
The POQ browser defends against malware as well as data exploitation.
“We can leverage the site owners’ knowledge of their applications and behaviors to constrain the behavior of the POQ browser,” Elliot said. “For example, plugins can increase the attack surface for a browser, so when our browser starts we don’t load any plugins, but we do allow site owners to whitelist any necessary plugins.”
The core protected browser technology leverages Microsoft Windows Internet Explorer components.
“We start a controlled instance of Internet Explorer (IE) with our security code injected into it,” Elliot said. “We’re not huge fans of IE; it’s just that IE is inherently available on every Windows platform.”
Though the POQ desktop browser is based on IE, that doesn’t mean users of other operating systems — in particular Linux — won’t be able to access a particular site. The POQ system has a policy that enables site owners to allow unsupported platforms like Linux to access a site. The system is also smart enough to detect if a user is attempting to spoof a platform. For example, a Windows system with malware on it could attempt to spoof a Linux machine in an effort to bypass security controls.
“The Linux user can access the web application normally but any iOS, Android or Window user must run the protected browser,” Elliot said.
The iOS Approach
The POQ 3.0 system also provides secure access for Apple iOS users. The self-service iOS approach requires users to go to Apple’s AppStore to get the secure browser.
The Quarri technology also can detect whether or not a device has been jailbroken, and then the site owner can decide whether or not to allow access.
“This is important because mobile platforms as opposed to Windows have very strong process sandboxing, so inherently they are pretty secure from traditional techniques used by banking trojans,” Elliot said. “That process sandboxing is very secure, unless the device has been rooted or jailbroken.”