Q: What is the Managed Browser Service?
A: It is an easy to use online service allowing web service providers to turn their user's browsers into secure endpoints. The whole solution can be setup and rolled out from the server side, with minimal impact on users, but extraordinary gains in the security of online transactions and sessions.
Q: What kind of protection does the Managed Browser Service offer?
A: It offers three vital anti-malware protection services: malware detection, malware quarantine and malware exclusion. It also provides two great trust assurance services: device trust and channel trust.
Q: What is the Managed Browser Service’s malware detection capability?
A: It is able to scan the user’s browser on every occasion of use to see if it can detect the presence of any known browser malware. If so, it either disables or removes the malware. However, it is becoming increasingly difficult to detect malware as the trend is moving towards polymorphic malware, i.e. malware that mutates its superficial characteristics as it spreads around the Internet, making it very hard to detect any recognizable ‘signature’. The Managed Browser Service will detect and neutralize malware where it can, but don’t worry: undetected malware will be disarmed by the Managed Browser Service’s other great anti-malware features.
Q: What is the Managed Browser Service’s malware quarantine capability?
A: A lot of browser malware works by carrying out surreptitious actions in the background of a legitimate user session. For example, the user may be logging in in the foreground, while in the background the malware harvests the username and password and posts them over the Internet to a location in cyberspace where the malware’s criminal owners can pick up the stolen credentials without fear of detection. The Managed Browser Service’s malware quarantine service locks down every part of the browser that is not currently needed for the legitimate web service, thus neutering any malware trying to execute background tasks, even malware with unknown signatures. In the case of credential theft malware, for example, the malware would be prevented from posting the user’s login details outside the browser.
Q: What is the Managed Browser Service’s malware exclusion capability?
A: The Managed Browser Service’s malware exclusion service provides a truly innovative way of lifting sensitive web operations out of the vulnerable general purpose browser (Internet Explorer, Firefox, or whatever) and running these operations in a totally separate, security-hardened mini-browser, impervious to all the usual malware threats. Initial installation of the mini-browser, any necessary updating and the actual operation of the mini-browser all happen in a way that is more or less invisible to the user, whose browsing experience remains virtually unchanged.
Q: What is the Managed Browser Service’s device trust capability?
A: Basically, it’s a device ID solution, but without the logistical headaches and security vulnerabilities that characterize many device ID offerings. The Managed Browser’s device trust service assigns a unique ID to each computer used by the user to access a web service. This acts as an independent second security factor to crosscheck with the login credentials provided by the user.
Q: What is the Managed Browser Service’s channel trust capability?
A: It’s a robust solution to prevent channel intermediation, i.e. the interception of a malicious agent in the communication channel between user and online service in what is usually known as a ‘man-in-the-middle’ or ‘MITM’ attack.
Q: Why is the Managed Browser Service necessary?
A: We believe - along with many of the worldʼs leading Internet security experts - that web browser security is broken in a fundamental way. There has been a huge explosion of malicious activity on the Internet exploiting browser vulnerabilities. Symantec detected no less than 1,656,227 different varieties of malware in circulation during 2008 (Source: Symantec Global Internet Security Threat Report, April 2009). This malicious activity is growing at an alarming rate: no less than 60% of all malicious code varieties ever found by Symantec were identified in 2008, and there is no reason to suppose that their acceleration is slowing. User vigilance wonʼt fix the problem, browser patches and updates have not, and anti-virus solutions seem powerless. Whatʼs needed to prevent erosion of trust online and to prevent a disastrous e-commerce implosion is a completely new approach to online security. The Managed Browser Service has never been more needed than it is today.
Q: Iʼve heard that some browsers are safer than others - is this the answer?
A: No. No dount some browsers do offer better levels of security than others in certain areas, but malicious attackers have found ways to exploit the mainstream functionality of all W3C standards-compliant browsers. Sadly, choosing a ʻbetterʼ browser does not give you grounds for comfort about the malware threat.
Q: Donʼt anti-virus solutions fix the problem?
A: No. Anti-virus solutions work by spotting the recognizable signatures of previously identified viruses and malware. But nowadays there is an increasing tendency for malware to be polymorphic, i.e. how it looks on one PC may be quite different from how it looks on another. This makes it very hard indeed to identify reliable signatures for use in spotting and disabling malware. It is likely that this problem will only increase over time, thus rendering signature-based approaches to malware more or less redundant.
Q: How does the Managed Browser Service work?
A: Enterprises subscribe to the Managed Browser Service, whitelisting the website domains they wish to protect, and flagging any particularly sensitive pages in these sites. Then they enroll users into the service. Enrolled users may access whitelisted websites using their usual browser, which now serves as a highly secure endpoint, thanks to the capabilities of the Managed Browser Service. The service builds on dotFXʼs unique Cloud and Client technology, so newly enrolled users who have previously used the Managed Browser Service in connection with another website are immediately protected. Other users will be required to authorize first-time-only setup. This is a fast, highly streamlined, single-click operation, which is required on the first occasion only that they try to access a whitelisted website from a new device.
Q: Why is the Managed Browser Service based on dotFXʼs Cloud and Client technology instead of just a simple browser plugin?
A: Some, but not all, of the functionality provided by the Managed Browser Service is offered by companies that base the client side of their service on a browser plugin. One example of this is so-called ʻbrowser firewallʼ solutions. We believe that using ʻgoodʼ plugins to fight ʻbadʼ plugins is inherently risky, since the duel could go either way. Neither side has the ʻunfair advantageʼ of an outside authority that can decisively swing things in favor of the good guys. This is precisely the ʻunfair advantageʼ that is inherent in the Managed Browser Service due to the underlying dotFX Cloud and Client platform, which creates a single shared runtime secure sandbox spanning the cloud-side management system and the client-side browser controller.
Q: Which browsers does the Managed Browser Service protect?
A: Pretty much all of them. We actively support Internet Explorer 6+ (Windows, Mac), Firefox 1.5+ (Win, OS X, Linux), Safari 1.2+ (OS X), Chrome 2.0 (Win), Camino 1.0 (OS X), plus most other Mozilla-based browsers.
Q: Who can subscribe to the Managed Browser Service?
A: At the moment we are offering the Managed Browser Service as a subscription service to enterprises, who may whitelist domains to be managed. These enterprises then enroll users of the managed domains through a simple self-service process.
Q: What is the Managed Browser Service setup experience for web service providers?
A: Enterprises that do not wish to take advantage of the Managed Browser Serviceʼs device ID feature simply login to a control panel to enter the domains they wish to protect, plus any pages requiring special protection using the malware exclusion feature. Enterprises will also need to implement an optional or obligatory ʻsecurity upgradeʼ action to their usual login page, which is implemented as a single link to the Managed Browser Service enrollment and setup function. No user will be protected until they carry out this action. Once enrolled in the system, users may only login from a previously setup device. Enterprises that wish to deploy the device ID feature will also need to add a device ID field to their user account database, and to implement a simple data feed connecting the web application and the Managed Browser system. This allows device IDs to be passed from the Managed Browser Service to the web application for validation, e.g. comparison against known device IDʼs stored for each user in the user account database.
Q: What service management options are available for web service providers?
A: Enterprise subscribers have access to a control panel that supports useful setup, administration and reporting functions.
Q: What is the Managed Browser Service setup experience for web service users?
A: Users are required to authorize first-time-only setup. This is a fast, highly streamlined, single-click operation, needed on the first occasion that enrolled users try to access a whitelisted website from any new device. Secondary authentication may be required to setup a new device, in line with the security policies of the website owner. Once setup, unprecedented levels of browser security automatically apply every time a user visits a Managed Browser Service protected site, with no need for further user intervention of any kind.
Q: Can the Managed Browser Service be used on more than one computer per user?
A: Yes, but each device needs to be setup for that user the first time the user attempts to access a managed website from that device.
Q: What is the Managed Browser Service user experience for web service users?
A: More or less invisible. The Managed Browser Service does what itʼs supposed to do - it works in the background to protect the userʼs online sessions, without drawing attention to itself or getting in the way of the userʼs browsing experience.
Q: What options exist for upgrading the Managed Browser Service client code?
A: The client-side code that oversees browser security on the client is based on dotFX's Cloud and Client platform, which supports automatic updating as a primary function. This guarantees that the version of the client code on a userʼs PC is up-to-date every single time they use it, without any annoying permission dialogs popping up to confuse the user or upset the browsing experience.
Q: Which threats does the Managed Browser Service protect against?
A: It protects against a wide range of attack vectors, including: social engineering, phishing, pharming, browser malware, desktop Trojans, keystroke logger, man-in-themiddle, man-in-the-browser attacks, and cross-site scripting attacks.
Q: How does the Managed Browser Service protect against social engineering attacks?
A: Social engineering attacks work when the user is conned into doing something illadvised. The Managed Browser Service protects against such attacks primarily by means of the device ID feature. The device ID is unknown to the user so cannot be consciously disclosed. Even if the user does disclose their user name and password these will be useless to the confidence trickster without the device ID.
Q: How does the Managed Browser Service protect against phishing?
A: Phishing (i.e. luring users to disclose their real login credentials on a fake login page) is is a variety of social engineering attack so everything that applies to social engineering protection also applies here.
Q: How does the Managed Browser Service protect against pharming?
A: Pharming targets the infrastructure of the Internet to misdirect correctly addressed web traffic to fake sites where phishing of login credentials can take place. Since Managed Browser device IDs cannot be phished the conventional credentials that might be stolen during a pharming attack are useless without them
Q: How does the Managed Browser Service protect against browser malware?
A: Browser malware plugs into browsers, using the standard interfaces mandated by W3C standards and supported by all mainstream browsers. The Managed Browser Service uses a combination of its malware detection, quarantine and exclusion features to render the malware safe. Browsing may continue safely, even from a compromised browser.
Q: How does the Managed Browser Service protect against desktop Trojans?
A: Desktop Trojans work in a similar fashion to browser malware but they operate outside the browser, such as keystroke logging or screen scraping. Since these Trojans cannot access the secure, encrypted device ID, any login credentials they are able to harvest will be useless by themselves. Since the Trojans run outside the browser secure sandbox they cannot seize control of a logged in browser session.
Q: How does the Managed Browser Service protect against keystroke loggers?
A: Some keystroke loggers are implemented using browser malware, others using desktop Trojans. A third class of keystroke loggers is implemented by means of a physical device, or dongle, that is surreptitiously attached to the target device and harvests login credentials entered via its keyboard. None of these methods is capable of accessing and stealing the device ID, which is never typed or otherwise visible on the deviceʼs I/O channels.
Q: How does the Managed Browser Service protect against man-in-the-middle attacks?
A: It creates a high-security VPN link between a conventional browser and the website it accesses, making it practically impossible to intercept or intermediate the session. This effectively eliminates the threat of session hijacking and man-in-the-middle (MITM) attacks.
Q: How does the Managed Browser Service protect against man-in-the-browser attacks?
A: This is one of the most insidious attack types currently known. In its worst variety the malware simply sits quietly until the user has logged into a service and then the malware hijacks the logged in session to carry out whatever tasks it has been set up to execute. For example, a man-in-the-browser (MITB) variety may wait for a user to login to an online bank and then it will setup a new payment recipient (the bad guys) and transfer whatever sum it wishes into the bad guysʼ account. It is possible to do this discretely in the background, so this account could be farmed over a long period of time, with a small sum being transferred each time the user logs in. Alternatively the bad guys could go for a single hit to empty the account in one go, knowing that this will probably be spotted immediately. The Managed Browser Service protects against background malware activities with its malware quarantine feature. This limits the actions that can take place in any webpage to those authorized by the service provider. More powerfully, sensitive actions such as new payee setup or funds transfer, can be removed entirely from the conventional browser by the Managed Browser Serviceʼs malware exclusion feature and executed instead in the Serviceʼs own secure, locked down mini-browser, beyond the reach of conventional malware. Even trying to invoke the first step of a sensitive action forces the mini-browser to the foreground where it becomes visible to the user and thus may be cancelled with no ill effects.
Q: How does the Managed Browser Service protect against cross-site scripting attacks?
A: Cross site scripting attacks trick the browser into executing malicious code stored on another website rather than stored locally in a browser plugin or Trojan. The effects are comparable to local malware. The Managed Browser Service effectively defeats cross site scripting attacks using a combination of the techniques it deploys to overcome locally stored malware.
Q: Who developed and operates the Managed Browser Service?
A: The Managed Browser Service was developed by dotFX, Inc., a secure web technology business headquartered in Silicon Valley, California. The Managed Browser Service - which is also operated by dotFX - is based on dotFXʼs own patentpending secure Cloud and Client platform.
