5:50 PM -- The recent Black Hat and DefCon conferences, which finally wrapped up last week, were rich with Web hacking. It was definitely a first for me, to see so many talks about Web application security -- an area of security that was previously seen as just a narrow niche of security. Now, after all has been said and done, I think there are a few good takeaways that browser companies need to chew on.
So what can we do about it? Theres been some talk about disallowing inbound requests through VPN tunnels to anything thats not already authorized -- like access to an internal wiki or Webmail, for instance. Thats a pretty flawed mitigation technique, because those targets are often the exact ones the bad guys are after. This is a problem that needs to be solved at the browser level.
There are two ways to handle it at the browser. The first is to leverage the "zones" concept already used by Internet Explorer. The concept is that the Internet zone should never be able to access the intranet zone, but this separation can break some Web apps -- especially things like Google Desktop.
While most people would gladly give up Google Desktop to protect their intranets security, it does cause some grief and isnt seamless. No doubt someone would cry antitrust if this becomes a blanket practice. You could simply whitelist applications or ports that should be allowed -- such as Google Desktop, which runs on a specific, high port.
The other way to fix the problem at the browser level is to allow hooks that plug-in manufacturers can use. Allowing antivirus vendors to do the detection on the browser companys behalf makes a lot of sense, but because it wouldnt be automatically built into the browser, its not ubiquitous. If the solution isn't everywhere, it doesnt matter, because all a bad guy needs to do is wait patiently until he finds a target that isnt protected.
Its going to be awhile before we see a browser-oriented solution put in place. But at least the browser companies know its a problem and are working to find solutions.