Web browsers provide a broad range of features, with more and more capabilities added with every new version.
What is interesting is there are browser functionalities rarely used or needed by websites, but which pose substantial security and privacy risks to web surfers, according to new research by computer scientists at the University of Illinois at Chicago (UIC).
Blocking website access to unnecessary browser functionality would help reduce these risks.
Peter Snyder, a graduate student of computer science at UIC, and his colleagues, Cynthia Taylor and Chris Kanich, wrote a paper on the costs and benefits associated with websites having access to 74 different types of functionality (collectively called web application programming interface (API).
They measured how frequently each of these features ended up used on websites, and how likely each was to pose a risk to security or privacy. They flagged those features as those that could be blocked to improve security, Snyder explained.
“For example, browsers allow websites to perform low-level graphics calculations,” said Snyder. “We found that this functionality is rarely used on honest websites, but that malicious sites can use it to harm users’ privacy and security.” Allowing all websites to access this feature is “a bad cost-benefit trade-off,” Snyder said.
Other examples of high-risk, low-benefit functionality the researchers uncovered included code that lets browsers detect light levels in a room, perform fine-grained timing operations and perform advanced audio synthesis operations.
In their analysis, the researchers used Firefox as their test browser, since it is the most popular, fully open-source browser. Findings from the Firefox browser should generalize to other browsers, Snyder said, because it has access to an almost identical suite of capabilities as other common browsers like Chrome and Internet Explorer.
“Ultimately we saw that about 25 percent of web API posed high risks to security and privacy and could be blocked without breaking websites,” Snyder said.
By blocking risky functionality, the amount of code a website accesses is also reduced, he said. “The less code you have available through the web API, the safer websites you’ll have.”
Based on their findings, Snyder’s team developed a browser extension that allows users to selectively block browser functionality to improve safety when it comes to surfing the web.