AusCERT2012: Locking down Mozilla's Web Apps

Mozilla is pushing mobiles into the world of online Web Apps and its the job of a Sydney engineer to ensure security in the emerging landscape.

Web Apps are the multi-platform browser-based replacement for local apps. They grant more power and privilege to web sites and are built on open technologies like HTML5, CSS and JavaScript which removes the need for developers to build separate apps for different mobile devices.

The platform is not finalised but preliminary plans may require web sites to lift security profiles to become Web Apps. 

“The fundamentals of Web Apps – as opposed to web pages – is that they will need greater permissions in order provide native-like functionality, but in order to grant permissions, you need to be able to trust the web which is an inherently untrusted medium,” says Mozilla's Paul Theriault, the security project lead for the company's upcoming Boot to Gecko phone which will run entirely from Web Apps. 

“Technologies such as content security policy, strict transport security (HSTS), and BrowserID will all play a role in increasing the trust in websites in order for them to be trusted enough to be granted App-like permissions.”

Security is vital for Web Apps because they are afforded higher privileges and access to device and user data. But the Sydney-based engineer told the AusCERT conference on the Gold Coast that existing security controls and those emerging within HTML5 are not sufficient.

He says permissions are mainly granted by prompting in a “doorhanger” style notification, such as access for user location, which will likely remain,. “We need something more meaningful going forward, as users tend to eventually just agree to nagging permission dialogs.”

“Permissions are key in this world, as the only thing that separates, for example, the Dialer App from regular web page content is the permission to access the new Web Telephony API which allows web pages to make phone calls.”

Harden up

Theriault has identified a series of browser features that can substantially harden web sites today, and will likely form the basis of tomorrow's Web Apps.

As a first step, he recommends web administrators implement Mozilla's content security policy which helps mitigate cross site scripting attacks. Those attacks are possible when content received as part of a web server response is treated with equal privilege by the requesting browser.

The backwards-compatible policy tells browsers what content is legitimate and which should be disregarded. It requires script content be separated from remaining web site content and whitelisted so that malicious scripts can be blocked.

“But there are other ways attackers can achieve similar results, so don't think you can develop your web site insecurely and wrap content security policy around it,” he says.

Next on Theriault's to do list is HSTS which means users can only access web sites with valid certificates. The header value resides in the HTTP response that mandates visitors use HTTPS for a set time, preventing users from accessing sites with invalid certificates and being subject to man in the middle attacks.

By forcing HTTPS, the technology prevents attacks such as cookie-clobbering in which attackers during man in the middle attacks override cookies on the HTTP channel to then replace cookies over HTTPS.

His third recommendation which serves to boost privacy and security is Mozilla's BrowserID which serves as a decentralised identity service within the web browser.

“The weakness with [rivals] OAuth and OpenID is that web sites authenticating with them must make calls back to identity providers like Google,” Theriault says. “That means Google can track your movement around the web every time you log in sites that use them, and that's not great from a privacy perspective.”

BrowserID grants the benefits of a federated identity system without the privacy implications by using PKI to generate assertions without the need to ping identity providers.

Like its rival systems, web sites would need to determine the identity providers they wish to trust.

Copyright © SC Magazine, Australia