Comments on: Secure Internet Browsing http://securitypie.com/secure-internet-browsing/ The ramblings of three security curmudgeons Mon, 05 Jul 2010 02:16:52 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: arikb http://securitypie.com/secure-internet-browsing/comment-page-1/#comment-187 arikb Sun, 21 Dec 2008 03:04:20 +0000 http://securitypie.com/?p=210#comment-187 No, Explorer doesn't support profiles. Also, the per-site trust level doesn't solve the problem. Sandboxing is a theoretical concept. Its physical implementations vary - for example Java applications run in a sandbox, Javascript ones too. The challenge is in the design of the box and making sure nothing spills over. Some of the more nasty browser vulnerabilities are a spillover. I personally think that a sandbox is pretty difficult to design. Take for example VMWare. In concept, VMWare is an ideal sandbox - totally separate OS running in a completely virtual environment, where even communicating with the host is done via a fake network interface. Pretty tight. But it also has a special interface to make the VMWare tools work, share files and interact with the host, and that interface had <a href="http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004034" rel="nofollow">at least one vulnerability I can recall</a>. If VMWare made a mistake in the implementation of a relatively very well isolated system, other sandbox implementations are not immune. -- Arik No, Explorer doesn’t support profiles. Also, the per-site trust level doesn’t solve the problem.

Sandboxing is a theoretical concept. Its physical implementations vary – for example Java applications run in a sandbox, Javascript ones too. The challenge is in the design of the box and making sure nothing spills over. Some of the more nasty browser vulnerabilities are a spillover.

I personally think that a sandbox is pretty difficult to design. Take for example VMWare. In concept, VMWare is an ideal sandbox – totally separate OS running in a completely virtual environment, where even communicating with the host is done via a fake network interface. Pretty tight. But it also has a special interface to make the VMWare tools work, share files and interact with the host, and that interface had at least one vulnerability I can recall. If VMWare made a mistake in the implementation of a relatively very well isolated system, other sandbox implementations are not immune.

– Arik

]]> By: assafl http://securitypie.com/secure-internet-browsing/comment-page-1/#comment-186 assafl Sat, 20 Dec 2008 20:26:36 +0000 http://securitypie.com/?p=210#comment-186 I like this concept. I don't think explorer supports profiles (with the exception of the trust level of different sites), but it is important ot have a different instance of IE for important sites and risky sites). BTW - Whatever happened to the concept of Sandboxing? Only a few years ago I was expecting us to be knee deep in sand... I like this concept. I don’t think explorer supports profiles (with the exception of the trust level of different sites), but it is important ot have a different instance of IE for important sites and risky sites).

BTW – Whatever happened to the concept of Sandboxing? Only a few years ago I was expecting us to be knee deep in sand…

]]>