Comments on: Update to Single-Site-Browsers (SSBs) http://isisblogs.poly.edu/2008/04/28/update-to-single-site-browsers-ssbs/ Information Systems and Internet Security Sat, 26 Sep 2009 11:11:21 -0400 http://wordpress.org/?v=2.8.5 hourly 1 By: How Not To Whitelist at rgov.org http://isisblogs.poly.edu/2008/04/28/update-to-single-site-browsers-ssbs/comment-page-1/#comment-3379 How Not To Whitelist at rgov.org Sat, 18 Jul 2009 19:00:23 +0000 http://isisblogs.poly.edu/?p=86#comment-3379 [...] should note that I’m trying out SSBs after reading up a bit about the security benefits they may or may not provide. The thought is that if your browser can’t be redirected to a [...] [...] should note that I’m trying out SSBs after reading up a bit about the security benefits they may or may not provide. The thought is that if your browser can’t be redirected to a [...]

]]> By: Eitan http://isisblogs.poly.edu/2008/04/28/update-to-single-site-browsers-ssbs/comment-page-1/#comment-2709 Eitan Fri, 19 Dec 2008 18:58:55 +0000 http://isisblogs.poly.edu/?p=86#comment-2709 If we could make the browsers aware of the the SSBs such that all communication to some particular site could only happen in the SSB then you could achieve much greater security and usability when using them. This deals with both issue #1 and #2. Since the browser is aware of them the browser won't access the "need to be secure" sites on its own and the users won't have to be educated (a dangerous assumption) as that is the only place they will be ABLE to enter the password. ~ Eitan If we could make the browsers aware of the the SSBs such that all communication to some particular site could only happen in the SSB then you could achieve much greater security and usability when using them.

This deals with both issue #1 and #2. Since the browser is aware of them the browser won’t access the “need to be secure” sites on its own and the users won’t have to be educated (a dangerous assumption) as that is the only place they will be ABLE to enter the password.

~ Eitan

]]> By: Protecting your Cookies at ISIS Blogs http://isisblogs.poly.edu/2008/04/28/update-to-single-site-browsers-ssbs/comment-page-1/#comment-509 Protecting your Cookies at ISIS Blogs Mon, 29 Sep 2008 08:38:17 +0000 http://isisblogs.poly.edu/?p=86#comment-509 [...] (SSBs). That’s right, I sucked it up and used SSBs for a whole 4 months after I wrote a post denouncing them because they seemed like the only good option I had. Oh, and every SSB had NoScript [...] [...] (SSBs). That’s right, I sucked it up and used SSBs for a whole 4 months after I wrote a post denouncing them because they seemed like the only good option I had. Oh, and every SSB had NoScript [...]

]]> By: Dan Guido http://isisblogs.poly.edu/2008/04/28/update-to-single-site-browsers-ssbs/comment-page-1/#comment-323 Dan Guido Tue, 29 Apr 2008 04:36:10 +0000 http://isisblogs.poly.edu/?p=86#comment-323 It doesn't make sense for a malicious user to voluntarily use an SSB, as it offers restricted functionality when compared to a normal web browser or an HTTP proxy. They have nothing to gain and it opens no additional attack vectors. SSBs are for preventing naive users from shooting themselves in the foot. Unless the organization sponsoring their use takes it a few steps further, into a NAC-like realm, are they doing anything to secure the server-side of the transaction. It doesn’t make sense for a malicious user to voluntarily use an SSB, as it offers restricted functionality when compared to a normal web browser or an HTTP proxy. They have nothing to gain and it opens no additional attack vectors.

SSBs are for preventing naive users from shooting themselves in the foot. Unless the organization sponsoring their use takes it a few steps further, into a NAC-like realm, are they doing anything to secure the server-side of the transaction.

]]> By: Kurt http://isisblogs.poly.edu/2008/04/28/update-to-single-site-browsers-ssbs/comment-page-1/#comment-321 Kurt Tue, 29 Apr 2008 04:27:55 +0000 http://isisblogs.poly.edu/?p=86#comment-321 Dan, I think that the assumptions should be stated. If my understanding is correct, you are assuming that the user is naive but not hostile, the client computer is not owned, and the browser works correctly. Are there other assumptions involved in the SSB idea? -kurt Dan,

I think that the assumptions should be stated. If my understanding is correct, you are assuming that the user is naive but not hostile, the client computer is not owned, and the browser works correctly. Are there other assumptions involved in the SSB idea? -kurt

]]>