A Relatively-Secure, Privacy-Friendly Browser

Temporary Supervisor

Dr Roger Clarke

Description

During the last two decades, the Web has become an indispensible tool for achieving access to information.

It is also currently a primary means of conducting economic transactions electronically, and many people use it for social transactions as well. However, all browsers have serious security vulnerabilities. Some of these are unintended, whereas some are designed-in.

All user segments need to be able to download, install and use a browser with features that address those vulnerabilities, and to do so without having to understand much about the technologies involved, the threats and vulnerabilities that arise, and the safeguards that address them. At one stage, the world was given the impression that Mozilla was consumer-friendly. But Mozilla's directions of development have instead been marketer-friendly and consumer-hostile, and its current products are vulnerable-by-design, in much the same way as IE, Google Chrome and Safari. Various plugins exist that address particular problems. But they are all piecemeal, and it's difficult for a user to find even a moderately protected browser that is available for download. The open-source browser Chromium is widely-regarded as the browser that has the least-worst profile in relation to unintended security vulnerabilities. (Chromium is an open-source project run by Google, building on Apple's WebKit, which in turn built on prior open-source work. Google Chrome is Google's proprietary fork of Chromium). Might Chromium represent a privacy-friendly browser solution? Chrome is quite simply a trojan horse, designed to ensure that its users' data is captive to Google Inc. Hence Chromium, even more so than other browsers, is subject to threats not only from software on the local device, and from web-servers, but also from the browser-provider. To what extent are features that serve Google's purposes embedded in the Chromium source-code? To achieve security and privacy objectives, it would seem to be essential to configure and enhance Chromium very carefully, and to reconfigure and enhance it from time to time, in order to address the risks arising from dependence upon code made available by a self-interested supplier. One attempt to do this was WhiteHat Aviator. This was pre-released in 2013, and released in early 2015. It was immediately subjected to attack by Google (Osborne 2015). That might indicate that WhiteHat did a poor job; or that it did such a good job that Google considered it a threat to the company's business model. Normal human beings aren't aware of these problems, wouldn't understand them even if they were aware of them, and wouldn't understand or be capable of implementing such safeguards as are available.

Goals

Possible projects include:

  • deep analysis of the design of Chromium and/or of WhiteHat Aviator
  • risk assessment of Chromium and/or WhiteHat Aviator
  • search for and investigation of alternatives (SRWare Iron, MozPETs, Comodo Dragon, Epic Browser, OrWeb/Orfox)
  • requirements analysis for a relatively-secure, privacy-friendly browser
  • specification of an appropriate configuration of and/or enhancements to Chromium
  • contributions to the now open-source WhiteHat Aviator project

Projects may choose to focus on browsers for desktops and laptops, or on the smartphone and tablet segments, which can be reasonably expected to diverge from the now 20-years-long history of browsers.

Background Literature

Clarke R. (2014) 'The Prospects for Consumer-Oriented Social Media' Proc. Bled eConference, June 2014, PrePrint at http://www.rogerclarke.com/II/COSM-1402.html See in particular sections 3 and 4 Osborne C. (2015) 'Avoid Aviator browser if you care about security and privacy, Google warns' ZDnet, 12 January 2015, at http://www.zdnet.com/article/avoid-aviator-browser-if-you-care-about-security-and-privacy-google-warns/ Chromium, at http://www.chromium.org/Home WhiteHat Aviator, at <a href="/%3Ca%20href%3D"https://www.whitehatsec.com/aviator/>https://www.whitehatsec.com/aviator/">https://www.whitehatsec.com/aviator/>https://www.w... and https://github.com/WhiteHatSecurity/Aviator SRWare Iron, at http://www.srware.net/en/software_srware_iron_faq.php Long J. (2015) 'Orfox Is The Guardian Project's Latest App For Bringing The Tor Browser Experience To Android, First Alpha Release Is Available' Android Police, 1 July 2015, at http://www.androidpolice.com/2015/07/01/orfox-is-the-guardian-projects-latest-app-for-bringing-the-tor-browser-experience-to-android-first-alpha-release-is-available/=>

Updated:  10 August 2021/Responsible Officer:  Head of School/Page Contact:  CECS Webmaster