Feelings of (Web) Insecurity


I am always amazed by how insecure the Web is. It is a well known fact that a large fraction of all web sites, possibly even the majority, are vulnerable to the simplest SQL injection attacks. This easy form attack can be executed by any teenager spending a couple of hours googling and experimenting; it can be used to obtain personal data of a Web site’s users and activity, potentially credit card numbers, as well as run havoc in its content. Interestingly, it is even possible to find many of the Web sites that are vulnerable to SQL injections by searching in Google for usual error messages returned in such cases. In fact, there are even Web sites that utilize this trick to provide more targeted search capabilities for such Web sites. (I’d like to thank Eran Yahav for this info.)

Recently, I have discovered that a Chrome extension provided by an Israeli bus company, which was accompanied by an extensive ad campaign includes vulnerabilities that let an attacker find personal information of users that install it. This includes, for example, obtaining the passwords saved in the browser for various Internet web sites and e-mail accounts, being able to redirect all the e-mails of the user to an external server, etc. These come from a couple of naive (or shell I say stupid) mistakes in the JavaScript code.

Similarly, it turns out that the White pages telephone directory service operated by the largest phone company in Israel, and which includes all registered phone numbers in Israel, can be queried in a way that provides a reverse phone numbers lookup service. Of course, this is not officially exported or linked to from their Web page since providing such a service is illegal. Yet, a simple URL structure inserted into any Web browser activates it.

And these are just minor examples of the extent of  the problem.

Why is it happening? I think this is a result of several factors: First, most Web developers have little formal IT training. Second, Web development languages and platforms are highly insecure by nature. PHP, JavaScript, SQL, and the likes make Web development a breeze, but at the same time they provide very little protection to the programmer. Third, highly trained university graduates often despise Web development, considering it an inferior form of software development. Moreover, even in universities security is not adequately stressed. Finally, there is hardly any legal incentive to invest in Web security. Free web sites and free software come with a license that exempts the developers, or service providers, from any responsibility.

So, what can be done? In my opinion, it is up to the major universities to change this situation by performing the following: At the education level, both computer security and Web development courses should become a mandatory part of any B.Sc. degree in IT related programs (Computer Science, Software Engineering, Information Systems, etc.). Additionally, we should aspire to publish guidelines for best practices in Web development. Moreover, official free-to-use security benchmarks should be developed. Once they are developed, legislators should be pressed to change the laws such that releasing Web sites or Web applications that do not pass these free security benchmarks would be considered a criminal offence, and expose their developers to personal liability law-suits, regardless of the End User License Agreements (EULAs) they come with.

Why should these benchmarks be free? Because otherwise legislators would be reluctant to pass such laws, claiming that imposing them would curtail Web innovation, which is so important for the economy.

So who should maintain them and who would pay for this? The development and maintenance of these benchmarks should be done by leading university researchers, and be funded by special government grants. The cost to the tax-payer of doing so is miniscule compared to the cost of leaving the situation as is.

Would it solve all security flaws? Of course not. But it would greatly limit them. This is similar to having a heavy door with a sophisticated lock at your home. While it cannot prevent a very determined and very experienced thief from braking in, it works great in keeping most unwanted intruders out.

Why only Web development?Why not all software? Web development is a much more restricted domain than general software security. Hence, there is a much higher chance of succeeding in developing meaningful security benchmarks for it. Also, the problem is much more acute there, due to the nature of its usage. Finally, one has to start somewhere…