Browser security review in review

Vendors never like it when their products don’t get good reviews. This normal reaction held true with my latest product roundup, a review of limited-emulation, “sandbox” products designed to protect browser users from Web-based malware. Authentium called and wrote several times regarding my evaluation of their SafeCentral product, which I gave a rating of Poor.

I noted many substantive issues, but the biggest was that SafeCentral allowed malware, even in a protected browser session, to infect the underlying host computer. Authentium agreed with my assessment (on that key point), but argued that I was judging the product against a level of protection that it was never intended to provide, and based on that point, my review was unfair. Authentium classifies their product as a “reverse sandbox,” and stated that they assume all computers are infected, and therefore concentrate their effort on keeping SafeCentral-secured browser sessions safe from potential malware and DNS interactions.

Normally, I dismiss comments like these as the typical complaints of vendors disappointed in the outcome, but Authentium had a valid point. InfoWorld’s editors and I felt it appropriate to publish their official statement here:

Dear Editor,

Your recent Test Center article, “Sandbox security versus the evil Web,” incorrectly characterized Authentium’s SafeCentral as a “sandbox.” As a result, SafeCentral was improperly compared to products that use sandboxing.

Sandboxing is a term of industry with a specific meaning among anti-malware developers, vendors, consultants, and analysts. It describes an unambiguous approach to security which Authentium’s SafeCentral does not use. SafeCentral uses a technology known as “reverse sandboxing.” In terms of security, there’s a world of difference between sandboxing and reverse sandboxing:

Sandboxing tries to stop malware from being installed on a computer. Reverse sandboxing, pioneered by SafeCentral, assumes the computer is already infected or will soon be infected, yet still delivers secure Web sessions.

By definition, reverse sandboxing does not prevent malware from getting into a system, nor does it try to prevent malware from coming in. There are dozens of antivirus, firewall, and Internet security suite products to fill that role. We recommend users maintain updated versions of such security tools on their systems.

SafeCentral’s role is to stop malware that slips past all other security measures, as part of a comprehensive approach to end-point security. Again, we assume the user’s PC is already infected, yet still deliver secure Web sessions by stopping any and all malware from operating.

It’s clear to see that SafeCentral does not belong in a roundup of sandboxing products that are designed to keep malware off computers, and instead be compared to any products that claim to deliver secure online Web sessions on PCs already crawling with malware.

We are confident your testers will find what other testers have concluded: Malware on your computer is neutralized when SafeCentral is protecting the user’s Web session. For the benefit of your readers, here are some links to technical papers and articles that cover SafeCentral in the proper context:

“Reverse Sandbox“

Introductory WhitePaper

SafeCentral.com

Doug Brunt President & CEO, Authentium, Inc.

In defense of my review The use of the term “sandbox” to classify the products in the review was just a generic descriptor to describe products that attempt to keep computers or browser sessions separated from each other to prevent malware infection. We considered many other summary descriptions, including “limited-emulation products,” “browser protection products,” and “red/green state protection products.” In the end, we went with the term “sandbox” because it was the most frequent descriptor given by the vendors themselves, and because it would probably be the most recognizable term by readers for these types of products. In the end, the label used to describe these products isn’t as important as the protection they provide. We don’t see the sandbox-versus-reverse-sandbox argument as a particularly strong one from our point of view.

Also, I evaluated all products compared to their marketing. Authentium does use the term “reverse sandbox” on its Web site, where the company also describes how SafeCentral works. But I wonder if a majority of readers could read that description and come away with the knowledge that SafeCentral only protects data within the secured browser session, and only while in a secured browser session. As Authentium’s site puts it, “SafeCentral’s innovative ‘Reverse Sandbox’ approach protects your data even if your PC has been compromised.”

Because SafeCentral doesn’t stop your PC from getting or remaining infected, it is allowing malware to take complete control of your PC and its data outside of the secured browser session. Most malware programs today are “downloaders,” small programs that gain a foothold and then download larger, more sophisticated programs, which in turn allow intruders to remote in using a backdoor. With that in mind, merely protecting a browser session doesn’t seem overly useful to me. It’s like installing a home alarm system designed only to prevent an intruder from coming in the front door and calling it a complete success if the house is robbed through the window.

Apart from the security issues, SafeCentral is rough around the edges. I did mention in the review that SafeCentral doesn’t support Internet Explorer (a big oversight, considering IE is the world’s most used browser) and has an overly complicated install. But due to space limitations I didn’t describe SafeCentral’s error-filled user interface.

For example, during the initial install, SafeCentral tells the user to “click here” to launch the program. But instead of “here” being an active launch area, it is only a picture of the launch area (unbeknownst to the frustrated user, who clicks it over and over without success). In three separate installs, the product’s own reporting tool gave me inaccurate status reports all three times. Further, two of the three times (separate computers, separate locations) the product refused to install all the requested modules or gave conflicting reports on whether the modules were already installed. Authentium confirmed all these points and said they had been previously reported by other customers.

So my overall opinion still stands. SafeCentral may protect you during a secured browser session, but if it doesn’t protect your underlying computer, even from things originating within the secured browser session, its usefulness is sorely limited.

But that’s just my opinion. Readers, what do you think? How useful would this “reverse sandbox” product be to you? What if it were not a stand-alone solution, but a component of a traditional anti-malware defense suite? Would it seem more useful then? Let me know, and we’ll see about publishing some of your responses in a future column.