It has been a little more than 35 years since the world’s first website went online. In the decades that followed, websites evolved from static pages into interactive web designs. Security was, if anything, an afterthought—a feast for cybercriminals. That’s why, for several years now, web developers have been using so-called security headers to provide browsers with explicit security instructions. In the early days, how well—or whether at all—these instructions were implemented depended heavily on the browser being used. The good news: A systematic study by CISPA researcher Jannis Rautenstrauch and colleagues shows that browsers today behave far more consistently than they used to. To uncover deviations and further improve security for website visitors, the researchers developed a testing tool that they have made available as open source. Their paper “Head(er)s Up! Detecting Security Header Inconsistencies in Browsers” was presented at the ACM Conference on Computer and Communications Security (CCS).
Web security is not a fixed state but, in many respects, a negotiation process between server and browser. Browsers retrieve a website from one or multiple servers and assemble its various components—such as images, fonts, or JavaScript files—into the familiar web view we see. “In this process, they constantly make security decisions,” explains Rautenstrauch.
What Do Security Headers Specify?
Website operators can use security headers to send specific security instructions to the browser. For example, a website can tell the browser: “Only execute code that originates from me,” “Do not allow my page to be embedded in other pages,” or “Only load images from these sources….” This can prevent or hinder widespread web attacks such as clickjacking and cross-site scripting. “Over the years, more and more security headers have been added, each with its own syntax and specific rules. As a result, their correct implementation remains a complex task for both browser and website developers,” says Rautenstrauch. In practice, small typos, extra whitespace, or other deviations in the instructions occur repeatedly—issues that browsers somehow have to deal with.
Scope: More than 170,000 automated tests with common browsers
Result: Inconsistent browser behavior identified in around 3 percent of cases, with previously unknown causes
Impact: Bug reports submitted to browser manufacturers and specification bodies, contributing to improved web security
Open Source: Own testing tool developed and released
How Do Browsers Implement Security Instructions, and What Did the Researchers Test?
A central component of the browser is the parser. This is a program that converts security headers, HTML, CSS, or JavaScript code into a data structure the browser can understand. “Browsers may look different, but they often share the same technical core, which includes the parser. 97 percent of commonly used browsers are based on just three different engines: Blink, for example, in Chrome, Edge, and Opera, Gecko in Firefox and Tor, and WebKit in Safari,” says Rautenstrauch. The researchers therefore carried out 177,146 tests systematically across the most widely used browsers. “We tested the 16 most security-relevant headers across different browser configurations. In 5,606 tests—that is, 3.16 percent of cases—different browsers behaved inconsistently,” explains Rautenstrauch. “That’s not a disaster, but we discovered various causes, some of them previously unknown, and sent bug reports to browser manufacturers and the specification bodies for security headers. This has already led to fixes and thus improves security for website visitors.”
Regular Testing Leads to Better Results
The results also show that differences between browsers and browser versions within the same browser engine are rare, whereas deviations between the three main browser engines—Blink, Gecko, and WebKit—occur more frequently. “This means that security headers are not always parsed and enforced consistently yet, but they are increasingly so.” The researchers did, however, find frequent differences in browser behavior for one particular security header: HSTS, short for HTTP Strict Transport Security. “HSTS instructs browsers to load a website exclusively over a secure HTTPS connection and to block insecure HTTP connections. The reason for the large number of deviations is obvious: Unlike other headers, there are no systematic tests for this header across different browsers. That should change.”
Testing Tool Uncovers Edge Cases
Rautenstrauch and his research colleagues are making their testing tool available as open source so that browser vendors can use it. “Unfortunately, many browser vendors are reluctant to permanently integrate our testing tool into their development chain, because developers still have to manually check, in cases of inconsistent behavior, whether a bug needs to be fixed and how it arises. Yet, our work shows that regular testing is worthwhile.”
