MIAMI — Google is one company that lives and dies in the web, so for many reasons, they need to care — a lot — about browser security. That was the focus of engineering lead for Chrome Security at Google, Justin Schuh’s keynote speech at this year’s Infiltrate 2017 conference.
There are three main reasons why Google needs to care. First, pretty much all of its revenue is funneled through the browser, “People need to feel that it’s reasonably safe,” Schuh said.
Securing the web browser wasn’t always a paramount concern, though, even for Google. What served as a huge wake up call for them was Operation Aurora in 2009. State-sponsored hackers broke into Google, which actually caused a significant change.
Few know better than those in the security industry that change doesn’t always come easily. One reason that change is slow going stems from what Schuh called, “Open source hippies. People approach things wildly differently. We believe in the web as an ecosystem, and that we can move the whole thing forward and make it a lot better.”
With all that wisdom and good intention, why is browser security so tough?
“There are a lot of different things at play,” said Schuh. “There are a lot of diverse platforms on Chrome, and that makes security a particularly tricky thing, so you’re trying to support the same browser on a lot of different platforms. Then there’s the third party code issues.”
Not to mention the diverse constituencies that need to be catered to, from the developers and users being served to the employer goals and agendas. Security then has to figure out how that all fits together, said Schuh.
The added layer of competition on web ads, said Schuh, adds a lot of complexity. “That’s a big revenue funnel, and a lot of people are competing for that funnel. The browser is just a commodity, and the cost of switching is really low, especially when most users don’t understand security enough for it to influence their browser using decision.”
With all of these obstacles in mind, Chrome has defined three main strategies to approaching security, which include isolation, mitigations, and anti-abuse (the phishing and downloading stuff, Schuh said).
“Sandboxing is the big thing we focus on. It’s our strongest line of defense. It’s the number one thing that we do, so we keep building on and refining it. Isolation is the main thing we are investing most in, which differs from other browsers,” said Schuh.
In terms of mitigation, they discriminate a little more. “They have some use. If they don’t add significant code complexity and performance overhead, we use them. There’s been a lot of investment in Clan CFI, but with the goal of trying to build some sort of memory safe-ish inner sandbox thing.”
Google being Google, it does have a lot of resources available, which is especially beneficial when it comes to threat intelligence and being able to experiment at scale.
“HTTP2, that was something that grew out of an experiment at scale,” said Schuh.
Despite all of those available resources, they still come under friendly fire, which Schuh said is the invasive and unsafe stuff that gets bundled in or injected from browser plugins, OEM value adds, CERT authorities, and antivirus and other security products.
What’s so bad about them? Schuh asked. “They are breaking security expectations. These things are breaking your expectations on their way to introducing the most vulnerabilities they can.”
These third-party capabilities, including NPAPI plugins, are invasive and fundamentally unsafe, said Schuh. “It’s not really an API but an organic growth of leaky platforms. It’s a bundle of purely native code that operates outside of the browser constraints making it effectively impossible to sandbox.”
Given that the exchange of communications across the internet depends on every certificate authority being secure, relying on the CA to enforce the connection between the website and the browser also causes major headaches for security engineers.
“The system itself has no way of tying a cert to a specific CA, yet there are literally thousands of intermediary CAs. Any one of them can effectively be bypassed,” Schuh said.
Schuh’s deepest loathing, though, is the dreaded antivirus. Antivirus is what drives Schuh to vent on Twitter, he joked. Specifically, he shared the anecdote of an issue incurred with the antivirus man-in-the-middle cert, which uses weak hash algorithms.
“There was this huge spike in HTTPS errors, and clients couldn’t talk to to secure sites anymore,” Schuh said. When he contacted the antivirus vendor, no one was familiar with the code. “Someone suggested that it might have been written by an intern a couple years ago.”
These are the frustrating security issues that challenge even the most experienced and educated engineering teams. After some time, one of their engineers anted up, said Schuh. They pushed out a fix to an old program, but they were still getting those elevated errors.
“Only the paying customers got the updates,” Schuh said. “The non-paying customers get the broken TLS. If you are no longer a paying customer but you have this thing installed,” Schuh mused to make the point that these security challenges are issues that can potentially compromise security when dealing with the good guys.
“They all fixed the outdated and vulnerable code,” said Schuh, but more to the point, “Even the best behaved products have no support for enhanced nets like HPKP. They are just expected to provide grossly inferior security.”
In addition to the binary injections that eat up way too much of Schuh’s time, what is incredibly frustrating is that they have teams planning out these important security features. In reality, they can expect a year for any new significant mitigation.
Followers on Twitter will also find Schuh tweeting about the reality that third-party capabilities are invasive and fundamentally unsafe. “We are trying to work around these problems, but there’s no way that AV provider X is investing as much in securing themselves,” Schuh said.
The solution? It’s not clear that there is one, but Schuh said, “They need to stop doing this. If it doesn’t start soon, we will have to take creative measures to stop.”
Of course that begged the question from an audience member, “What creative measures?”
“That’s where it gets really interesting. Windows 10 added mitigations for blocking third party AV injection. Edge is currently using some of those, and crash rates have dramatically dropped,” Schuh said.
There is also aggressive stuff, like going all the way down into the kernel, Schuh added.”As much as I complain about AVs, we haven’t had significant issues with Windows Defender. It’s quite robust. It’s interesting because it’s one you don’t have to pay for.”
Because Microsoft isn’t trying to rush it’s product to market, they can care more about the features in their products. “If I were a CISO deploying an AV program, I’d go with Microsoft Defender,” Schuh said.
But as a security engineer, he is trying to work with antivirus to find ways to work together that benefit the entire ecosystem.