The definition of a privacy-aware HTTP browser

It is a well known fact that cross-site scripting and content is common-place. They are especially used for advertizing and user tracking. Consider what we call web bugs or beacons for instance.

For a number of years, mainstream browsers allow to optionally refuse to load images from other sources than the current site being viewed. Although this restriction is off by default, it should, on an ideal web, be on by default, with users needing to add sites to an exceptions list to allow cross-site images.

Ideally, a browser's default settings should be as follows:

  • Use of standard HTML 4.01+ and XML 1.0+ along with CSS, but not allowing iframes or images to originate from another domain. Forbidden third-party scripts. Ability of the user to allow third party content on request (but discouraged).
  • Scripting disabled, unless explicitely allowed by the user for specific domains (the NoScript Firefox extension allows this).
  • Features like Flash or Java disabled by default unless explicitely allowed by the user for specific domains. NoScript also handles this. These extensions are proprietary and their main function consist in the execution of remote arbitrary code. Although Java and Flash are mentionned here as reference, since widely known, this includes PDF and mail readers and other proprietary products implementing SVG, VRML, as well as SilverBullet and other extensions. Potentially also simple video media players.
  • When scripting functionality is allowed, these should only be allowed to use network functionality with the same domain by default, unless explicitely specified by the user for certain domains. Unfortunately, the advent of Web 2.0 (or 2.2) using intensive JavaScript to render more interactive GUI features (commonly called AJAX) causes more and more people to rely on scripting functionality. JavaScript consisting of an open-source and thus security auditable implementation of ECMAScript, it should be able to become secure when these restrictions are in effect.
  • The RequestPolicy Firefox extension can be used to control requests to third party resources. Although this can initially be an annoyance to configure properly, just like for NoScript, once it is configured for regularily visited sites, it becomes mostly transparent to the user experience. Another advantage of this extension is that it also forbids by default loading of ads and scripts from third party domains.
  • Scripts which serve as extensions and are explicitely installed on request by the user commonly have file system access. Access to the file system should be restricted to an automatically assigned extension-specific virtual root directory for each. Better, an independent extension-specific simple key/value registry could be provided instead of file system access in most cases.
  • Any functionality which makes a browser access automatically a site should be disabled by default. This includes auto-update functionality, downloading of a bookmark's icon from a site, update of an RSS feed, as well as auto-search functionality from the address bar or other similar features.
  • The HTTP-Referer HTTP header field should be disabled by default.
  • Cookies should by default be destroyed on request easily as well as at automatically at browser exit by default. This is also valid for all cached content. Ideally, sites should not be able to alter previously sent cookies. They however should be able to re-send the cookie whenever it expired, or to resend them with the same values if one still exists with the key.
  • The history should be restricted to a decent configurable value and no further data should be kept than for that exact period. These should also be deletable on request as well as application exit, although optionally. This is also valid for auto-saved sessions. This is valid for both browsing and download history.
  • Cached data should be protected against timing attacks.
  • Any auto-fill reminder managers (for forms as well as for passwords) should be disabled by default.
  • Browsers should support optional functionality, selected at installation, to encrypt all stored content using strong cryptography, requireing the user to type a password to start the application, as well as auto-suspend functionality after a user-set timed inactivity period disabling all network and GUI activity of the application until the password is re-entered. Although we see an emergence of similar functionality for password managers, this should apply to global storage, including storage of most of the configuration. Moreover, it is important for an inactive browser not to continue updating content automatically. Obviously, there should also be provided functionality to import and export any of the wanted data in unencrypted form by the user on explicit one-time requests.
  • By default, browsers should warn whenever use of an SSL certificate is to be used for the user to confirm that he indeed wants to connect to that HTTPS resource.
  • Information about stored cookies or other data should be limited to the domain from which it originates.
  • Stored bookmarks information should not by default include statistics about the last access date or number of accesses.

Although a browser implementing these security features might break the current functionality of existing commercial and fraudulent sites, they should be considered unethical to not provide a version of their content not making use of any of the disabled functionality which was usually assumed to be enabled.

Since major corporations such as Google and IBM now have a foot into Firefox development, this goal appears difficult to achieve. It thus becomes necessary for a neutral third party to enforce those default behaviors into a security-aware browser, such as a Mozilla or Firefox based product shipped with better settings. If an official project can never achieve this level of security, a third party could write a single Firefox extension enforcing these settings by default. Although there exist extensions here and there which can be added to enhance privacy and security in certain ways, there is a need for a single, non-commercially sponsored one embedding all the necessary measures into one.

Trusted Computing should not be considered an eventual solution to such problems. TC is a major step backwards as for human rights are concerned, and is also controlled by a coalition of major multi-national corporations such as IBM, Sony, Microsoft, Intel and Apple. Their goal is to totally limit your hardware and software flexibility so that you may not gain real administrator status on your own systems.

The enormous amount of data which corporations and organizations are able to accumulate by current default browser functionality is of serious concern. Privacy is being frowned upon by common practices. The accumulation of personal data and the length at which this is done gives unwanted, unethical individuals an enormous amount of power. People should be sensibilized about this. This part can only be done through education. However, if standard browsers limited functionality to what is strictly necessary, the web industry and sites would have to work with what's available.

Other common web trends are probematic on the web, such as acceptance of Flash as a video media player. Flash does not suit properly for this job and direct links to videos, playable by specialized media of the user's choice should be used instead. Sites like YouTube unfortunately popularized this bad practice. There are few officially Flash-supported platforms, which restricts portability of the method. Moreover, this requires the user to accept to run arbitrary remote code in a proprietary, non-auditable framework. Additionally, it is an extreme waste of CPU and RAM resources.

In a better educated population, it would become easier to boycott the use of unethical or unappropriate trends. But people also need tools which are already configured to only encourage good practices. Privacy of course does not end here. People should also be informed about the type of information they disclose when using web services, such as the plethora of Google services. But this is another story.

The WWW is a kludge

Some could argue that these suggestions would prevent the web from evolving technologically. It is true that the web requires a full redesign. Many deprecated and standard technologies should also no longer be supported in a new design. The HTTP protocol itself should be dropped in favor of better protocols allowing more interactivity (and inherently designed to avoid all the mess HTTP became over time), eliminating the need for hacks such as AJAX.

The current web consists of a chaos of redundant technologies and kludges. It also has favored the development and public acceptance of extensions which should ideally not have been allowed, since they are unstandard, closed sourced as well as untrustable. There are various existing technologies which could replace Web v1 and 2 if they had more public exposure. Of course, migrating from a technology to another is not an easy task, and would initially require support as extensions for existing browsers, before eliminating the bloated mainstream browsers to totally replace the technology. Tools for content generation and server-side scripts should also be readily available to the public for the new technology.

The server-side technology should be distributed and scalable, as well as secure (using a determined security framework similar to BSD kauth to fine-grain authorize permissions of applications). If a client-side scripting framework is also supported, the user also should be able to configure the access permissions with ease, and the framework should be secure by default. The system also should be designed to support sessions without permitting the type of abuse possible with cookies. This also is another story.