Secure by default : From Prometheus to Chrome
A twisted take through the tales of our Grandfathers
In today's digital wonderland, we're swimming in a sea of 'free' products. It's like a magical realm where you blink, and there's another app or service promising to change your life for the price of,
Absolutely Nothing
We're talking about everything from search engines to browsers to operating systems to office suites, you name it, and it's probably free. It's like a never-ending buffet of tech goodness, and we've all got a front-row seat.
Only concern in this “free” tech tools is how secure they are for everyday user ? What are the implications for the tool “producer” and “consumer” on the long run ? Let’s start with a little story from Greek Mythology,
Prometheus and the fire
In the legendary tale of Prometheus, It is said Prometheus defied the gods by slipping humanity the ultimate gift: fire.
Fire brought heaps of benefits, like warmth, cooking, and civilization itself. But let's not overlook the fact that it came with a hefty side of risk too. Kind of like giving a toddler a flamethrower and hoping for the best.
Impact of “Giving” fire to humanity
For Prometheus : He got strapped to a rock while an eagle dined on his liver daily. And because he was immortal, his liver grew back each night, ensuring a never-ending cycle of agony and snack time for the eagle.
For Humanity : Fire has caused fair bit of harm in human history , ranging from erupting volcanoes to burning cities.
Nuggets of wisdom
Although this is a mythological story, the interpretation for us is,
There are implications for both the “Giver” and the “Consumer” when it comes to an exchange of good or service
The importance of “Duty of Care”
The important takeaway here is that even when we provide tools/services for free we have to practice “Duty of Care”
What is “Duty of Care”
Duty of care obligates the provider/producer/giver to ensure that the goods or services provided do not cause harm to the receiver. Of course it is difficult to practice all the time, but good folks at CISA has come up with set of recommendations to ensure that “duty of care” is achievable. Those are
Secure by Design
Secure by Default
We will talk about “Secure by Default” in this article
What is “Secure by Default“
Any knowledge, tool, technology, or organization MUST be designed to offer security by default for its stakeholders and end-users, without requiring further modification.
Put simply, when we download and use an Internet browser like Chrome, Firefox, or IE, The tool's maker (Google, Mozilla, Microsoft, etc.) MUST configure it to provide adequate security for the end-user without necessitating any additional setup.
In essence, a secure configuration should serve as the default baseline. Products should automatically activate the most crucial security controls required to safeguard both end-users and enterprises.
The intricacies of security configuration should not burden customers or users.
Who is behind “Secure by default“ Initiative
This initiative is a partnership involving several international agencies from different countries across continents , Some of the participants are US / Canada / UK / Germany , Netherlands, Norway, Korea, NZ , Israel, Japan , Singapore..so on and so forth
Secure by Default —> Recommendations
Eliminate “Default” secrets
Single Sign On
Secure Logging/Monitoring
Secure Authorization Profile/Templates
Track/Reduce Hardening Guides | Better to use “Loosening” guides
Balance User Experience and Security Wisely
Study : Chrome Secure By Default Readiness
We will use, Chrome, the internet browser heavyweight that's got 67% of the market wrapped around its little finger as a sample to understand the concepts mentioned above. Chrome do claim “Secure by Default” in their product page. Let’s dive in on evaluating the “readiness” on this front
Eliminate “Default” secrets
Chrome do store passwords securely in encrypted form. So it gets a +1 on this front.
We took a stroll down Chrome's not so secret flags lane and peeked behind the curtain at [chrome://flags/]. For us, it honestly felt like diving headfirst into a bowl of alphabet soup! Flags were about as clear as mud.
We believe additional clarity could enhance trust significantly. Specifically, the 'Default' setting often leaves users uncertain about its implication, whether it signifies 'Enabled' or 'Disabled.' Providing more explicit guidance or descriptions could help ensure users make informed choices without needing to rely on assumptions
We are going to give a “No” for chrome on this one. Sorry Chrome!
Single Sign/On
Not applicable
Secure Logging/Monitoring
Chrome do support Secure Logging/Monitoring capability using “Chrome Events”. We are going to give a “Yes” for this one for Chrome.
Secure Authorization Profile/Templates
Chrome do have following templates premade and configurable through a click of a button!
Stealth/Incognito mode
Safe-Browsing Security Setting with options like
Enhanced Protection
Standard Protection
No protection ( not sure why )
We could give a “Yes” for chrome on this one too.
Note: During our research of Chrome. We bumped in to the fact that, For standard protection template HTTPS browsing was disabled by default. We would have preferred it otherwise
Track/Reduce Hardening Guides | Better to use “Loosening” guides
Chrome is more into the whole "Security Hardening" strategy than the "Loosening guide" strategy. It would be nice to flip the script and have a "Loosening Guide" instead of a "Hardening Guide". We are going to give a “No” for chrome on this one. Sorry again Chrome.
Balance User Experience and Security Wisely
We do have some thought on this front but we are going to “suppress” them and give big “Yes” to Chrome on this one.
Conclusion
Considering Chrome's commitment to being 'Secure by Default' as outlined in their product page, it might be constructive to publish a measurement/score against a checklist / criteria showing the validation of this commitment. It MAY enhance trust and security with the end users.