Posted by:
admin
12 years, 8 months ago
Read Jeremiah Grossman's post about "A Single-Site Browser’s impact on XSS, CSRF, and Clickjacking". The benefits of using a Single-Site Browser are clear: reduced risk of XSS, CSRF and Clickjacking. So, why isn't every bank in the world and every user of SSL-VPNs not deploying single-site browsers?
I'd say there are two reasons: fear of customer support costs and a lack of additional benefits.
A long, long time ago, banks tried to get into the software business to lessen the power exerted by Quicken and Microsoft Money. These efforts went as well as anyone outside of the banks expected. Bad software that created tremendous support issues. The banks remember this in their thick institutional heads.
However, as Grossman points out, banks are essentially doing this with Mobile applications right now. The perceived benefits of having an iPhone and/or Android app and having a "mobile strategy" outweigh the potential costs for them. Part of the reduction in costs comes from the application store model. Distribution is easy (well, same for downloading stuff over the Internet) and their are support mechanisms built-in (albeit minimal). However, many users are now used to using the Internet for support, so offering a single-site browser with built-in links to forums etc would also be a low-cost option. If banks offered support and interest, perhaps Mozilla would once revitalize their Prism project. Imagine being able to enter in a set of parameters and an domain name and being able to build a single-site browser with the latest code.
On the benefits site, banks could use this platform to add security features. Built-in two-factor authentication would be first on my list (needless to say). The ability to do mutual https authentication using cryptography instead of pictures would be a big plus as well. These two features would help to eliminate MiTM attacks and phishing.
Finally, if a bank has both a mobile client and a PC-based client, transaction authentication becomes much more practical: any transaction made in one client can be validated in the other, increasing the required attack sophistication. (I know, we have already seen this is possible, but we should not let this stop us from making improvements.)
I still think the banks won't bite, so I'm calling on the SSL-VPN vendors to lead the way. Their customers stand to benefit as well. This is a great example of doing something that is so simple that would bring such great benefit.
Also, kudo's to Google for Chrome's ability to create an application short-cut. This is how I access all my critical sites.
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)