Yankee Group Blog

Blog Home

Analyst Pages

Categories

Search:

Blog Alert:

Enter your e-mail address to receive notifications when there are new posts.

Archives

Yankee Group RSS Feed

Single-Site Browsers

by Andrew Jaquith
April 21, 2008

Last week Yankee Group published a research note I wrote on “single site browsers” — a new twist on the venerable web browser that restricts a user to a single site. Single site browsers (“SSBs” for short) aren’t well known, but I believe they could do much to solve some of the web security problems we’ve been seeing over the last few years.

Rather than prattle on about SSBs, it’s much easier to show you what one looks like. Here’s a screenshot of Mozilla’s SSB application, called Prism, which is based on Firefox. For Mac-heads, Todd Ditchendorf has created a Safari-based SSB with his Fluid application.

SSB screenshot

The basic idea is that IT admins (or even end-users) tell Prism to create an SSB application for a specific site — in this case, www.americanexpress.com. Once created, a special desktop icon is added to the user’s desktop that launches that website. Put simply, SSBs turn websites into desktop applications.

What’s neat about SSBs is that they represent a rare confluence of interests between security people and web developers. Web developers like to create software and websites that look good and do cool things. Security people prefer to reduce functionality of software to just the sparsest subset that can be secured adequately. In this case, the developers have oriented their energies in a direction that also leads to more security. Because SSBs can, by definition, browse to only one website, many of the web-based attacks against users (phishing, cross-site scripting, cross-site request forgery) won’t work. This is great news for users, and we think that banks and other e-commerce website operators will want to take a close look at SSBs, not least because the price is right (“free-as-in-beer” as Slashdotters say).

As I was writing this note, I circulated a draft of the note to a cross-section of web developers, security researchers and financial institutions to gauge their interests in the technology. We think SSBs represent a great way to “brand” a website and keep users safer, all at the same time. The feedback I got was mostly positive. A few callers on a call I did with  the Financial Services Technology Consortium (FSTC) voiced some skepticism about SSB. I later found out that the most skeptical ones worked for vendors who sold browser protection software! Why am I not surprised?

The research note, From Anywhere to Somewhere: Single-Site Browsers Keep Users Safer, is available to Yankee Subscribers. All users (even non-YG customers) can view the short presentation I gave to the FTSC. I welcome your feedback.

Filed under: Anywhere Consumer, Anywhere Enterprise | Comment (1)

One Response to “Single-Site Browsers”

Dan Guido
April 21st, 2008 - 7:52 pm

The one critical problem that I see with SSBs is that if someone receives a phishing e-mail and the website it brings them to looks exactly like the one they see in the SSB, will they still give up their credentials? Or will they close Firefox and open the SSB? My money is on them giving up the info anyway.

Also, I think it requires that you deny access to your website from normal browsers to derive the most benefit from using SSBs, both from a user uptake perspective and as a protection against CSRF.

I’m writing up something about this that should be ready tonight or tomorrow at my blog here: http://isisblogs.poly.edu. If you have trackbacks turned on, you should see it.

Last thing, the multiple SSBs problem isn’t so much of a problem. I’ve been using one for Gmail, Gcal, Twitter, and Facebook for a few days now and it hasn’t overwhelmed me (yet).

Leave a Reply