Blog‎ > ‎

Browser session (tab) isolation for security

posted Nov 30, 2013, 2:22 AM by Sami Lehtinen   [ updated Nov 30, 2013, 2:40 AM ]
I would prefer to have a browser with improved security model. Current browsers seem to share data between tabs and sessions. It makes request forgery attacks much easier among causing other security and privacy issues. When ever I open tab, I should be able to select if it's independent (clean) tab or if it's globally shared or forked (shared) tab. What's the difference between these choices?

Global tab would use global cookies, data store etc. So it would work as browsers now work.

If I then launch independent clean tab, it should be tab that behaves just like I would have started new private browsing (incognito) session. If I then want to open something in new tab sharing this session this far, I could open new page in new tab which would share data with previous tab just as browsers normally operate.

Tab colors could be used to make it clear which tab is sharing what sessions.

Why all this trouble? Well, I could have G+ open in one tab, Google sites in another tab, Gmail in one tab, Facebook ... But data wouldn't be shared between different services. As far as I can see, this approach would tremendously improve privacy and somewhat improve security. With this solution there would't be any reason to block 3rd party cookies. 

Of course if this approach is taken to the max, any data can't be shared between tabs. Otherwise there would be easy ways to recognize users even when they're using these secure tabs.

If you have have any thoughts about this, just let me know.

Just as with Tails, if you want to do something so it's not linked to other actions you do, it's basically best to restart whole computer between things you do, to get rid of all session identifiers.

P.S. I just hate Firefox because it doesn't allow running using multiple (private mode) parallel instances. It would partially solve this problem. Btw. Also Chrome fails this simple security test. Other browsers I didn't even bother to check.