A Browser Security Idea

One of the comments “How To Fix The Internet” article that’s circulating is the notion of a central organization (like the BBB) maintaining a database of information that sites would presumably dish out to users upon them requesting a page for the first time.

Well, how about a standalone security tool to do this?

This tool would have a couple parts:

1. A list of attributes with associated risks (think Bayesian adjustment of a risk level) e.g.:-Hosted in Russia / China-IP address for a URL-Immediately redirects you to somewhere else-Cert doesn’t match DNS-Webserver outdated (versions vulnerable to known exploits)-Recent bad activity for this site** Assigns a score to the site

2. A client for the user’s system (to pull updates) and a plugin for their browser-Pulls down updates, checks visited sites vs. information

—

So here’s the idea — we create this system and serve the constantly updated data out to whoever wants it. They could pull it down weekly/daily/hourly or whatever (depending on how often there are updates).

From there, when they go to a website it checks the current “risk level” of the site against their current security settings. So, if it’s between 6 and 7, don’t run ActiveX on the site. If it’s between 1-4, don’t even load it — etc.

The key here is customizing the local security settings according to a semi-dynamic repository of information hosted by security enthusiasts. We don’t need the BBB for this.

This is very early thinking, and it could be utterly lame to me in 10 minutes, but it sounds good in my head right now.

Thoughts?

Related posts:

1. The Real Internet of Things: Details and Examples

2. It’s Time for Vendor Security 2.0

3. Everyday Threat Modeling