Web page isolation ensures secure access to the Internet, and in its most advanced form it is transparent to the users in terms of appearance, performance and responsiveness

Jason Steer, EMEA CTO Menlo Security explains

Jason Steer
Jason Steer

How to avoid phishing attacks? The first advice was to avoid responding to e-mails that looked dodgy and were full of spelling and grammatical errors. Then the e-mails became more sophisticated: they looked and read like genuine corporate announcements. So the next defense was to look at the browser’s address bar to check that the loading web page was served over a valid HTTPS site. Now we have Punycode phishing attacks that create fraudulent addresses that appear almost identical to trustworthy ones.

The problem is that computers can process non-Latin alphabets using a huge library of Unicode characters, and some of the different characters look almost identical. For example the Unicode characters U+0430 and U+0061 both look like a small “a” in a Chrome, Firefox of Opera browser address bar. So even an innocent looking address like “” might take you to a fraudulent page.

Can we protect critical business?

With serious and wide-ranging vulnerabilities such as Punycode and ApacheStruts being announced within the past two months, fears are being raised about the extent to which businesses of all kinds now rely on the use of Internet.

Could the financial sector continue to operate without regular Internet access? Whether it is a quick Google search, keeping up to date with news or financial data, downloading a research paper or checking messages – the web browser is among the most vital applications in any business today. And yet browsers are highly vulnerable. The simple act of loading a malicious web page can compromise a computer or endpoint device so that malware can steal private data, or force an entry point into an organisation’s entire network. In 2015 alone (NIST) over seven hundred new browser vulnerabilities were reported, and Google’s recent report claims that website hacks rose a further

30% between 2015 and 2016 – boosted by the rise of cyber-crime and an ever-increasing range of browser features that attackers can exploit.

So what can you do if your business is utterly depended on Internet content, and the work is so sensitive that you dare not risk any form of attack, data leak, or compromise? A simple solution would be to make sure that all the data, websites or documents needed are printed out and distributed purely in hard copy format. That way critical staff get full and utterly safe access to the Internet content, without any of the dangerous “active content” that lurks beneath those harmless-looking pages. What is lost, is immediate responsiveness, and business agility so necessary today.

A “greener” and more nimble solution could be to save paper by not physically printing but scanning the image of the required pages and securely transmitting a facsimile of those the pages to the desktop. If that facsimile could also mimic active links to allow the reader to navigate the pages but without any of the risky stuff going on underneath, this would offer a real, workable solution.

This approach is called “browser isolation”, because it logically & securely separates the real browser getting the content from the end user’s browser permitting only a “clean” version to reach their browser. But can it be made to work well enough to deliver a good response to the user while maintaining high security and preserving the user experience?

The nature of the risk

Flash and JavaScript are the two best-known forms of active content operating beneath the visible surface of most webpages. While offering a better user experience, the downside is that the same active content can be manipulated by an attacker to gain visibility into the browser’s workings by, for example, detecting memory locations, influencing the layout of data layout and generating malicious code.

These vulnerabilities are well known, and today’s browsers & operating systems do include built-in defenses against such straightforward browser exploits. But this does not stop more determined attackers from bypassing these defenses with sophisticated, multi-stage attacks. For every layer of built-in defense, there will be someone looking for ways to work around these barriers, and the damage will be done before a new patch can be developed and installed.

Browser isolation takes the radical step of assuming that any page – however innocent it seems or however reputable its source – may become infected. So we should never trust the native web page, but only work with its sterile reproduction. This is an emerging technology that is making rapid strides and is fast catching on with banking and financial organisations, as well as government, military, healthcare and other critical operations.

Its success depends on being able to offer the user as good an experience as an ordinary Internet browser. If it fell short by being slow, lower definition or relatively unresponsive, then productivity would suffer and users would simply risk using the original version. Any change in the appearance or behavior that forced users to change the way they work would be counter-productive: they expect everyday operations such as copy-paste and printing to work just as normal.

Equally customers want no extra software, hardware or endpoints to manage

– preferring their existing desktop browser to surf the web. A clientless cloud solution means that it can be easily and quickly rolled out across the organisation, including personal devices, kept constantly up-to-date and centrally managed without adding to the IT burden.

A progressive approach

How can the above conditions be achieved? We began with the obvious suggestion of either printing the pages or scanning and reproducing them as an image. This inspired an initial approach, called “pixel mirroring”, that treats the page as an array of pixels to be reproduced at the endpoint. The result is a one-size-fits-all approach that makes no allowance for the actual content – whether text, image or video – whereas the hidden active content is specifically designed to improve the user experience by adapting the rendering to suit the content. So pixel mirroring tends to slow down page loading, reduce responsiveness and elaborate common operations such as printing and copy-paste.

Some pixel mirroring solutions try to get round these problems by using specialized browsers, plugins and additional software at the end point. This can work for certain business environments, but it means losing the management advantages of a clientless solution.

A better approach must take into account the actual content type and the dynamic manner it is represented in the browser – ie the “Document Object Model” (DOM). “DOM Mirroring” means that the isolated browser actively monitors the currently loaded page tab for changes, translates those changes into DOM commands (without the underlying active content) and sends those commands to the end user’s device, so the safe page automatically updates in sync with the original. So, for example, instead of sending a Flash video to the end point, the same movie will be sent as crisp, suitable quality HTML5, while non-active safe elements are simply transmitted as they are. All the natively available fonts and images can be safely transmitted to the end-user‘s browser whilst being sanitized to prevent font & image exploits to be used. The whole page looks, feels and behaves just as it should but its now safe.

But is it secure?

The simplicity of handing out printed pages lay in the fact that hard copy has no underlying technology or hidden software that some very clever hacker might find a way to manipulate. How can we be sure that the DOM Mirrored web page cannot itself become infected? In a sophisticated DOM Mirroring solution there are several layers of defense against this.

Firstly the link between the isolated browser and the endpoint safe page must be secure, and this is protected with high-grade encryption and served by a secure web proxy. Secondly “active content blocking and transcoding” makes sure that all DOM elements are checked against a white list in both the isolated browser and the safe page so that, for example, no on-click attributes or script elements are allowed. At the same time the strictest Content Security

Policy reinforces the ban on active content in the safe page. Thirdly “protocol checking and enforcement” places strict limits on the format of all DOM updates so that no channel is left open for probing for vulnerabilities or leaking data.

Finally there is the risk that the isolated browser might become deliberately infected in some manner that would allow it to generate or pass on a malware attack to the safe page. Because this is theoretically possible, the best DOM mirroring solution will constantly rebuild its isolated browsers and destroy old ones. As one user put it: “like being given a brand new laptop every time you go to a new website”.

A vision or a reality?

The idea behind browser isolation is as clear to most people as the idea of only working from printed paper. What they find hard to believe is that it could be possible to mirror the browsing experience securely in real time without affecting the user experience – surely there must be a performance penalty?

The only sure answer is to try it and see for oneself, and the response has been uniformly positive – notably in the highly critical and time conscious financial sector. The latest DOM mirroring isolation platform was itself developed in collaboration with JPMorgan Chase & o, so that its features and capabilities were from the start developed with financial services in mind. According to their Chief Information Security Officer, Rohan Amin, the platform was deployed “with zero impact to users, providing a seamless user experience for our employees”

In just two years the same DOM mirroring isolation technology has been successfully adopted by organisations in other critical sectors, including government, technology, healthcare, oil and gas, and it is already supported by teams in the United States, UK, Germany, Japan, Singapore and Australia to meet the growing demand.

The common factor among all the early adopters has been the need for constant Internet access, combined with serious concern about the attendant risks. They find that a cloud-based isolation service is easily and quickly deployed, without any disruption of normal working patterns. The user response has been overwhelmingly positive, and the reduction in risk is boosting both morale and productivity.

Punycode phishing could even fool a trained typographer – but DOM mirroring would automatically remove its sting.

Jason Steer Solutions Architect – EMEA

Jason is an engineer at heart and has built and broken computer and networks since 1996. Jason has worked at a number of successful technology companies over the past 15 years, including IronPort, Veracode & FireEye. Jason has worked as a cyber-expert with CNN, Al Jazeera & BBC and has worked with the EU and UK Government on Cyber Security Strategy. Jason has spoken at numerous industry events such as ENISE. You can follow Jason @verylongbloke on Twitter.

Related Articles