Linked by Thom Holwerda on Tue 7th Jul 2009 22:08 UTC
Internet & Networking Web browsers have become ever more important for our computers. Instead of the browser displaying static HTML pages, they now handle complex web applications, ranging from social networking to text editors to online banking, and everything in between. While some browsers have finally started treating the browser more like an operating system (Chrome and Internet Explorer 8), those are just baby steps. The real thing is coming with Microsoft's Gazelle, a research project which applies operating system concepts to the browser.
Order by: Score:
Cool.
by gehersh on Tue 7th Jul 2009 23:32 UTC
gehersh
Member since:
2006-01-03

Now when the browser is having problems drawing a page, it'll show the Blue Screen of Death, and I'll have to reboot.

Reply Score: 6

RE: Cool.
by drstorm on Wed 8th Jul 2009 00:36 UTC in reply to "Cool."
drstorm Member since:
2009-04-24

How is that a new thing?

I'd call this a BSOD. Wouldn't you agree? ;)
http://img219.imageshack.us/img219/144/bsod.png

Reply Score: 2

RE[2]: Cool.
by l3v1 on Wed 8th Jul 2009 06:11 UTC in reply to "RE: Cool."
l3v1 Member since:
2005-07-06

Well, you see, it's not really blue... ;)

Reply Score: 2

RE[3]: Cool.
by drstorm on Wed 8th Jul 2009 10:12 UTC in reply to "RE[2]: Cool."
drstorm Member since:
2009-04-24

Well, it is kinda... blueish.
And it's definitely a screen of Death. Just look at the icon. It's dead. ;)

Reply Score: 1

not sure ..
by project_2501 on Wed 8th Jul 2009 00:32 UTC
project_2501
Member since:
2006-03-20

not sure basing your security on domains is the right idea .. there is no real reason that abc.com is different from def.com ... its just a DNS domain name and that doesn't mean they are different or the same originator. this isn't that revolutionary.

its a bit like a Windows anti-virus application treating files differently depending on their drive letter (C:, D:, etc). in reality it doesn't mean anything. they could even be on the same drive!

they'd be better off sorting out buffer overflows and more bread and butter security weaknesses ...

Edited 2009-07-08 00:34 UTC

Reply Score: 2

RE: not sure ..
by PlatformAgnostic on Wed 8th Jul 2009 03:12 UTC in reply to "not sure .."
PlatformAgnostic Member since:
2006-01-02

That's not what people generally exploit on the web. It's far more common to see these Cross-Site Scripting attacks against the design of the web applications than against the browser code.

It's the same reason why people go after applications running on Windows much more than after the OS itself: it's a lot easier and likely just as lucrative.

Reply Score: 2

RE: not sure ..
by google_ninja on Wed 8th Jul 2009 21:42 UTC in reply to "not sure .."
google_ninja Member since:
2006-02-05

One very common and insidious (has happened with google and amazon, among others) attack is Cross Site Request Forgeries (or CSRF)

The idea is this: you go to your bank, and check the "keep me signed in" checkbox (which any bank worth their salt would NOT have, but this is an example). That site puts an authentication cookie in your browser. Next time you go to the site, it checks the cookie, and doesn't bother asking for username/password, but just forwards you a long to the next screen.

Now, I have a site (or use an XSS attack against a site you use), and I do an AJAX request that mimics a form submission to transfer money to my account. The site receives the request, checks for authentication, since it is the browser making the request it finds the cookie, and just lets it through.

These kinds of exploits are very difficult to avoid, the only thing you can really do is generate an authentication tolken on every page, and then checking for it on the next request from that session.

Reply Score: 2

elmimmo
Member since:
2005-09-17

Maybe it is that this will be practical/needed in the future as the web heads for a more application-like platform, but really, is anyone concerned at all about the problems Gazelle is trying to address?

Reply Score: 1

google_ninja Member since:
2006-02-05

Yes, pretty much everyone is. The browser is an application that executes arbitrary code off the internet, and that millions of people enter sensitive information into.

Reply Score: 2

Delgarde Member since:
2008-08-19

Maybe it is that this will be practical/needed in the future as the web heads for a more application-like platform, but really, is anyone concerned at all about the problems Gazelle is trying to address?


Very much so. Never mind "in the future" - the web is already well on the way to an application-like platform, and has been for several years. And if you look through recent Firefox release notes, you'll notice that a substantial proportion of the bugs fixed in the 3.0.x series were security bugs of this kind.

Reply Score: 2

Neat
by google_ninja on Wed 8th Jul 2009 21:48 UTC
google_ninja
Member since:
2006-02-05

This sort of reminds me of a microkernel OS archetecture.

Reply Score: 2