Analysis of Web Browser Security Configuration Options

For ease of use and access, web browsers are now being used to access and modify sensitive data and systems including critical control systems. Due to their computational capabilities and network connectivity, browsers are vulnerable to several types of attacks, even when fully updated. Browsers are also the main target of phishing attacks. Many browser attacks, including phishing, could be prevented or mitigated by using site-, user-, and device-specific security configurations. However, we discovered that all major browsers expose disparate security configuration procedures, option names, values, and semantics. This results in an extremely hard to secure web browsing ecosystem. We analyzed more than a 1000 browser security configuration options in three major browsers and found that only 13 configuration options had syntactic and semantic similarity, while 4 configuration options had semantic similarity, but not syntactic similarity. We: a) describe the results of our in-depth analysis of browser security configuration options; b) demonstrate the complexity of policy-based configuration of web browsers; c) describe a knowledge-based solution that would enable organizations to implement highly-granular and policy-level secure configurations for their information and operational technology browsing infrastructures at the enterprise scale; and d) argue for necessity of developing a common language and semantics for web browser configurations.

[1]  Frederick T. Sheldon,et al.  Hardening the Client-Side: A Guide to Enterprise-Level Hardening of Web Browsers , 2017, 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech).

[2]  Frederick T. Sheldon,et al.  HERMES: A high-level policy language for high-granularity enterprise-wide secure browser configuration management , 2016, 2016 IEEE Symposium Series on Computational Intelligence (SSCI).

[3]  Frederick T. Sheldon,et al.  Using a knowledge-based security orchestration tool to reduce the risk of browser compromise , 2016, 2016 IEEE Symposium Series on Computational Intelligence (SSCI).

[4]  Ananth A. Jillepalli,et al.  An Architecture for a Policy-Oriented Web Browser Management System: HiFiPol: Browser , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[5]  Jose M. Alcaraz Calero,et al.  Security Policy Specification , 2013 .

[6]  Mukaddim Pathan,et al.  Network and Traffic Engineering in Emerging Distributed Computing Applications , 2012 .

[7]  Kathi Fisler,et al.  The Margrave Tool for Firewall Analysis , 2010, LISA.