idw – Informationsdienst Wissenschaft
Nachrichten, Termine, Experten
Nachrichten, Termine, Experten
More than 35 years after the first website went online, the web has evolved from static pages to complex interactive systems, often with security added as an afterthought. To mitigate risks, developers use security headers that instruct browsers how to handle content securely. Early on, browser support was inconsistent. A systematic study by CISPA researcher Jannis Rautenstrauch and colleagues shows that browsers now behave far more consistently. To identify remaining deviations, the team developed an open-source testing tool.
Web security is not a fixed state but, in many respects, a negotiation process between server and browser. Browsers retrieve a website from one or multiple servers and assemble its various components—such as images, fonts, or JavaScript files—into the familiar web view we see. “In this process, they constantly make security decisions,” explains Rautenstrauch.
What Do Security Headers Specify?
Website operators can use security headers to send specific security instructions to the browser. For example, a website can tell the browser: “Only execute code that originates from me,” “Do not allow my page to be embedded in other pages,” or “Only load images from these sources….” This can prevent or hinder widespread web attacks such as clickjacking and cross-site scripting. “Over the years, more and more security headers have been added, each with its own syntax and specific rules. As a result, their correct implementation remains a complex task for both browser and website developers,” says Rautenstrauch. In practice, small typos, extra whitespace, or other deviations in the instructions occur repeatedly—issues that browsers somehow have to deal with.
How Do Browsers Implement Security Instructions, and What Did the Researchers Test?
A central component of the browser is the parser. This is a program that converts security headers, HTML, CSS, or JavaScript code into a data structure the browser can understand. “Browsers may look different, but they often share the same technical core, which includes the parser. 97 percent of commonly used browsers are based on just three different engines: Blink, for example, in Chrome, Edge, and Opera, Gecko in Firefox and Tor, and WebKit in Safari,” says Rautenstrauch. The researchers therefore carried out 177,146 tests systematically across the most widely used browsers. “We tested the 16 most security-relevant headers across different browser configurations. In 5,606 tests—that is, 3.16 percent of cases—different browsers behaved inconsistently,” explains Rautenstrauch. “That’s not a disaster, but we discovered various causes, some of them previously unknown, and sent bug reports to browser manufacturers and the specification bodies for security headers. This has already led to fixes and thus improves security for website visitors.”
Regular Testing Leads to Better Results
The results also show that differences between browsers and browser versions within the same browser engine are rare, whereas deviations between the three main browser engines—Blink, Gecko, and WebKit—occur more frequently. “This means that security headers are not always parsed and enforced consistently yet, but they are increasingly so.” The researchers did, however, find frequent differences in browser behavior for one particular security header: HSTS, short for HTTP Strict Transport Security. “HSTS instructs browsers to load a website exclusively over a secure HTTPS connection and to block insecure HTTP connections. The reason for the large number of deviations is obvious: Unlike other headers, there are no systematic tests for this header across different browsers. That should change.”
Testing Tool Uncovers Edge Cases
Rautenstrauch and his research colleagues are making their testing tool available as open source so that browser vendors can use it. “Unfortunately, many browser vendors are reluctant to permanently integrate our testing tool into their development chain, because developers still have to manually check, in cases of inconsistent behavior, whether a bug needs to be fixed and how it arises. Yet, our work shows that regular testing is worthwhile.”
Jannis Rautenstrauch jannis.rautenstrauch@cispa.de
https://doi.org/10.60882/cispa.30251392
https://zenodo.org/records/17129544 Software for: Head(er)s Up! Detecting Security Header Inconsistencies in Browsers
In a systematic study of the most commonly used browsers, CISPA researcher Jannis Rautenstrauch and ...
Merkmale dieser Pressemitteilung:
Journalisten, Wissenschaftler
Informationstechnik
überregional
Forschungsergebnisse
Englisch
In a systematic study of the most commonly used browsers, CISPA researcher Jannis Rautenstrauch and ...
Sie können Suchbegriffe mit und, oder und / oder nicht verknüpfen, z. B. Philo nicht logie.
Verknüpfungen können Sie mit Klammern voneinander trennen, z. B. (Philo nicht logie) oder (Psycho und logie).
Zusammenhängende Worte werden als Wortgruppe gesucht, wenn Sie sie in Anführungsstriche setzen, z. B. „Bundesrepublik Deutschland“.
Die Erweiterte Suche können Sie auch nutzen, ohne Suchbegriffe einzugeben. Sie orientiert sich dann an den Kriterien, die Sie ausgewählt haben (z. B. nach dem Land oder dem Sachgebiet).
Haben Sie in einer Kategorie kein Kriterium ausgewählt, wird die gesamte Kategorie durchsucht (z.B. alle Sachgebiete oder alle Länder).
