Is it time for a re-think of the traditional browser model?



At this year’s Pwn2Own competition, white hat hackers exposed security flaws in the Web’s leading browsers. With over a half a million dollars in cash and prizes at stake, Pwn2Own is the Super Bowl of hacking. In a mere two days of competition, individuals and teams from around the globe cracked Internet Explorer, Firefox, Safari, and Google Chrome, as well as the Adobe Reader and Flash Player plug-ins.

News Flash: Your local browser can still be hacked and your business is still at risk.

It’s another episode in a long-familiar story where major browser platforms are exploited. It’s hardly news: we’ve come to expect it. Fortunately, Pwn2Own is meant to highlight cracks in the armor so that browsers and plug-in apps can be fixed.

But while Microsoft and Apple and the rest of their ilk huddle up and patch their apps, you and every business that uses their browsers have a huge security headache and a high stakes challenge. Pwn2Own follows a responsible disclosure process, so the specifics of the breaches aren’t known. But to avoid becoming the next victim of a headline-grabbing data breach, you will need update all your user’s equipment and possibly retrain them.

And somewhere in the middle of this ridiculous and all-too-frequent exercise, you might wonder: Is there a better way? The answer is yes.

The way to fix this broken system is a cloud-based browser. Twenty years ago, few people realized that the browser would become the most important business application. Originally, browsers were considered a tool for viewing static Web pages (except for the occasional, totally awesome animated flaming gif). Then one day, a browser emerged from the primordial ooze and allowed javascript to run locally. With that development, where code executed on the device, the browser became the conduit for all kinds of applications.

Now, browsers have become mission-critical tools for companies and their proprietary apps. In this brave new world, browsers must keep pace with all the cutting edge functionality and UI that developers and users demand. Squeezed by these forces, browser makers haven’t been able to proactively address security flaws that emerge with constant enhancements. Your browser’s protective measures are out-of-date the moment it’s installed.

With so much relying on browsers that are so vulnerable, and the realm of executable code in the browser expanding, the time has come to consider alternatives. Clearly, we can’t stop using web-based services. And clearly, the underlying standards won’t change anytime soon.

Isolation might hold the key. A browser that’s isolated in the cloud protects your data and your devices while keeping up with the demands of application developers and users.

Standard browsers all do the same thing: they execute code on a local device -- code which might reach out to other parts of the system or remain on the device until they are manually deleted. This model is the Achilles’ heel of the browser and presents rich territory for the would-be exploiter.

A cloud-based browser executes code remotely in a secure and isolated environment, and then disposes of itself entirely. Poof! Gone. No lingering code, cookies, or anything session over session. And if malicious code tries to reach out of the browser and into the system resources, it’s not your device that it touches. It can only go so far as the virtualized environment. No malicious code can seep into your local device or your network, nor will the code persist after the browser is closed.

Judging from the results of Pwn2Own, it’s clear that traditional, local browsers are continuing to fight a losing battle on the security front. The very nature of the browser creates security gaps that keep IT reacting to the latest exploit. It’s time for IT to shift these vulnerabilities away from the user, device, and network, and into a disposable environment designed to deal with them.

About the author: Scott Petry Scott is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott founded Postini and served in a variety of C-level roles until its acquisition by Google in 2007.

Topics: Security