Writing a secure browser for today's web appears to be a technological challenge comparable to a level 5 self-driving car. It has not been shown to be feasible. So such cars are not permitted to be deployed on the world's roads. Today's web sites and browsers should similarly not be deployed on the world's infobahns.
Unfortunately the only way to find these modes of failure is to have them actually fail. It's impossible to design and release an error free system without real world usage from real people.
It doesn't mean we should just give up and go back to HTML1 though. It just means exploits should be fixed as soon as possible to minimize damage.
We used to have school kids coming up with highly privileged attacks on systems to it becoming something the top minds spend months on and get paid 6 figures per discovery for.
It seems that we need a better story for when code inevitably can escape the sandboxing that browsers provide because right now it's a straight up disaster scenario. That means you are going to have to rethink the OS underlying it and none of today's options were built with that kind of a threat model in mind.
There is Fuchsia on the horizon which sounds like a MAJOR leap forward but that also seems like it is several years away from ever reaching a desktop for example and it's also really unclear what kind of attacks are going to be possible in the real world against it either.
How does the economy of bug bounty programs work for the company? $100,500 is probably not much for Apple but it's still some engineer's salary. Do the responsible engineer get a pay cut for this bug? Or this kind of 0day bugs are not bugs, but secret features left open from the beginning?
Honestly, $100,000 for this is too low.
A bug in Knight Capital's stock trader lost $460M in 45 minutes.
A bug in the Ariane 5 rocket caused it to crash, a loss of $370M.
A bug in the Therac-25 radiation machine killed 3 people.
> secret features left open from the beginning?
Are you saying Apple engineers are inserting backdoors? What's the motivation? Security bugs are very easy to accidentally introduce when you have complex interacting systems (in this case a browser, a complicated URL parsing syntax, some ancient barely-known file types, and a file sharing application). Occam's razor (and Hanlon's) says it's an accident.
They can afford the bounty.
Even the encryption has to be free of side channels like timing attacks which are left out of what most people think of as a proof.
Only when the "constraints" are that the browser must support all "standards" produced by some committee where most if not all memebers are employees of the few browser vendors or other "tech" companies heavily invested in the web. Perhaps that is what is meant by "today's web".
I use a netcat and similar TCP clients and a text-only browser on today's web and this works quite well for mine own purposes. Non-commercial use. Basic tasks like sending GET and POST requests, downloading pages and other resources and reading them. Using the web as an information source. I would be willing to bet these programs are "more secure" than the "modern web browser". They are certainly less complex.
For 99% of what I do I use Firefox + NoScript and I think I'm relatively secure. My solution probably provides more functionality than yours, but it's still a hassle to use some sites. Other sites simply don't exist w/o JavaScript. The situation isn't getting better.
You could have gotten basically the same (I would even argue better) level of security with a virtual machine and an otherwise full browsing experience.
On macOS I spend the first few days disabling several dozen junk processes I didn’t ask for and don’t want. This includes classroom tools (??) and all kinds of syncing/ sharing daemons I have no use for.
This exploit reinforces what we already know — computers are impossible to secure, you should reduce attack surface where possible. If you get a little privacy and performance out of it all the better.
I suppose if it's your own machine, and you know what you're doing, that's OK, but as soon as something breaks you will have no idea whether it's because you turned something critical off, or whether it's actually a bug.
Please don't do this to other people's Macs.
Thanks for the advice and all, but where is this coming from? It seems kind of out of left field, as parent comment did not communicate or convey in any way that they would ever mess with someone else’s machine like that. Is it not obvious that such an act would be just plain rude (and stupid)?
Point is, disabling junk helps until it doesnt, and its much harder to enable one piece of junk after I forget what all I did in the first place. It would be nice if disabling windows search wouldnt make first attempt to open start menu not work after each restart, and enabling search didnt fix it. But everything is so interwoven that disabling "stuff I dont need" is shooting myself in the foot with a really long gun..
That's why I'm so wary of browsers (well, a certain browser) adding more and more APIs that hide behind permission popups. People will blindly click them.
And I fully agree with a sibling comment: "Writing a secure browser for today's web appears to be a technological challenge comparable to a level 5 self-driving car", https://news.ycombinator.com/item?id=30078738
Also Apple: "We have built in a long list of exceptions for Apple services, because it's impossible for an Apple service to have an exploit."
> "We advise users not to store sensitive info and files on their computers, to prevent nefarious actors from being able to steal these sensitive items"
Also it makes me reconsider using Safari, seeing all these "special cases" of iCloud and iPhoto URLs being allowed.
