Browsers pretty much govern how we interact with the internet, people built the internet realized they needed a way to exchange documents, someone came along and built this program that is kinda only meant only to display documents on the web and only to people in the military. This was fine for a couple years and eventually people started looking at the internet as less of a library and more of a communication platform and of course communication happens for various reasons few of which the internet and by extension browsers were actually designed for!
People started fostering the idea of using the internet for commerce and secret communication. We had a technology that allows us to rapidly communicate with anyone anywhere potentially, there is no way we can only be using this for research and the military, I mean its like as big an idea as the printing press potentially! So people started doing things that required secrecy and privacy.
I don't think that the people who designed the internet are solely to blame for its completely security orthogonal design (i.e. a network of computers sharing everything), but rather that the people who thought this up didn't build something that is meant to host military communications as well as commercial, academic and extremely public information sharing. How on earth were those people supposed to know what this technology would end up as? I feel like if they know what would have happened to this technology they would have made it more efficient to share pictures of cats. But they could not have had much fore sight in designing a secure internet obviously!
This obviously extends to the design of browsers. Browsers are now meant to fulfill two extremes of technology design (this is because of how the internet developed at the mercy of human social development). Browsers are meant to help you share information with the entire world and on the other hand are meant to help you share information with only your bank, family or the women you are having an affair with. We expect browsers to accomplish two things we usually isolate to two different kinds of technology, that is to provide both extreme privacy and extreme public exposure! Think about this, i mean really think about this what else do we know that does this? What else have we successfully build that accomplishes both of these tasks?
Here's a list of other funny examples of things that would fit the extremely private and extremely public requirements:
- A sprinting shoe that is bedroom comfortable and fluffy
- A jacket that is meant to keep you warm in a blizzard and show off your summer tan
- A medicine that actually kills you (actually this a joke about chemo treatment, and the extreme capitalist propagandist pharmaceutical industry)
- A military tank that are designed to allow you to cruise down the coast
- A documentary that depict the killings of a psychotic genius rapist serial killer in a way that is fun and educational for our kids?
Other person> So I think we should just connect computers together, if the machine can send signals to itself rapidly then surely it can be made to send messages to someone else? I mean would it be sick if you could send messages to someone in the next city instantly!!?? I mean you could talk to anyone, possibly anywhere!! And about anything!
You < Yeah thats awesome! People would probably want to communicate in secret sometimes don't you think? maybe we should design something that allows them to do communicate securely? like a securely communicator?
Other person> Yeah obviously we don't want them to communicate public things using the secure communicator? LOL
You< Dude, "LOL" isn't a word yet man, you so stupid!! hahahaha
Other person> GTFO man!
In my experience with web apps I've seen tons of examples of this, developers (bless their hearts) commonly try to use mechanisms in browsers that are meant for public exposure this means design specifically to help share information, they use these mechanisms to communicate private information or secrets. Typical example is referrer header leakage bug. What happens here is sometimes browsers have authentication tokens in their browser origins while hosting externally references content; what happens then is the browser stuffs the auth token into the referrer header when the content is fetched. If you have been pen-testing for a while you know this well! Especially if you compete on Hackerone, Bugcrowd or other crowd source pen-testing out fits. This is what lead to my original train of thought about how crazy an idea browsers are, me trying to understand why that vulnerability exists. I would have listed a lot more examples (and probably will in later edits of this blog post) but for now I think referrer header leakage is a perfect example of my point.
Anyway thats all I have to say about this now ;)