Problem
60 communications of the acm | january 2013 | vol. 56 | no. 1 practice doi:10.1145/2398356.2398372 Article development led by queue.acm.org A discussion with Jeremiah Grossman, Ben Livshits, Rebecca Bace, and George Neville-Neil. It seems every day we learn of some new security breach. It is all there for the taking on the Internet— more and more sensitive data every second.
Approach
As for privacy, we Facebook, we Google, we bank online, we shop online, we invest online…we put it all out there. And just how well protected is all that personally identifiable information? Not very. The browser is our most important connection to the Web, and our first line of defense. But have the browser vendors kept up their end of the bargain in protecting users? They claim to have done so in various ways, but many of those claims are thin. From SSL (Secure Sockets Layer) to the Do Not Track initiative to browser add-ons to HTML5, attempts to beef up security and privacy safe- guards have fallen well short.
Results
For example, many experts dismiss the notion that the most widely used protocol for providing security over the Internet, the SSL CA (certificate author- ity) model, actually provides adequate transport-layer security. But for all its faults, there is much resistance among vendors to changing the model. HTML5 is waiting in the wings, viewed by many as the next step to- ward improving the Web experience, while retaining compatibility with ex- isting browsers. It has been put forth with great promise, but so far it has not adequately addressed security shortcomings. Vendors have attempted to achieve better browser security by supplying add-ons for protection, but users first must know where to find, and then download, install, and configure them. That is a lot to ask. It also means first being aware of the dangers—many businesses have never heard of cross- site request forgery or clickjacking and most users have no idea just