A new solution to the age-old challenge of web filtering

Scott Montgomery

A new solution to the age-old challenge of web filtering

Sometimes changing one thing changes everything.
This may sound pithy, but there’s a healthy dose of truth to it. Just ask any of the social media companies who had to completely reimagine their products to adapt to the smartphone era. (Yes, we had social media before the smartphone!) For that matter, ask Canon or Nikon how their DSLR business changed when smartphones put software-enhanced digital cameras in the pocket of billions of people.

The five most popular cameras by users in the Flickr photo-sharing community are all iPhones.

The web security industry is no different. To understand the opportunity of the moment, let’s first look back at where we started: 

First the earth cooled. Then the dinosaurs came. Then people determined that the Internet was a bit dangerous. 

What followed was a period of problem identification, solution, lawsuits, and legislation. Advocates of web filtering were concerned particularly about public libraries, which was where many people, school-age children included, had their only access to the internet. Was filtering limiting free speech? Was the ability to filter pornography from libraries to protect children a Constitutional issue? Lawsuits did ensue, and ultimately Congress stepped in, passing the landmark 2000 Children’s Internet Protection Act, or CIPA. At the time, the dominant browsers were Navigator from Netscape, and Microsoft’s Internet Explorer. Both were designed for consumers to access the bold new landscape of the World Wide Web. 

Around the same time, the market for personal web filtering formed with companies like NetNanny and CyberPatrol running locally on a user’s computer, trying to sort out whether the user was browsing to pornography or how to conduct a breast self-examination – with sometimes underwhelming results. Companies too weighed in as employees often used the higher bandwidth at work to look at content they couldn’t see as easily at home. Vendors for this side of the market included Websense and Secure Computing, selling URL filtering often bundled with caching tools or firewalls. 

In each case, the filtering technology continued to evolve and added tools like categorization, reputation, dynamic DNS searching, geo-location, and a host of additional features to try and keep up. As time marched on, both consumers and enterprise organizations began to insist upon encryption of browser-borne traffic, leading to the standardization of the use of SSL and ultimately TLS. The use cases that began with ecommerce purchases quickly evolved to begin encrypting PII and PHI in transit. Eventually web sites standardized on HTTPS as a best practice.

Web filtering had to catch up too, adding ‘break and inspect’ techniques – what amounts to an  ‘authorized’ man-in-the-middle attack on encrypted web traffic. This allows the filter to determine whether the outbound request was acceptable by policy from the URL filtering standpoint and whether the reply data had malware or unacceptable content in it. As organizational data started to have a dollar value outside of the organization to cybercriminals and state-sponsored adversaries, it became necessary to break and inspect to determine whether valuable data was being inadvertently or maliciously leaked. A variety of network and cloud-based data loss prevention (DLP) suites were attached or involved to the practice of web filtering. 

Eventually, users and companies began to want to utilize software-as-a-service, storage, and a variety of other tools that were hosted in the cloud, requiring even more new categories for filtering and protections. Billions and billions of dollars are spent each year on increasingly complex host, network, and cloud security controls. Why?

Because the browser is still designed for consumers, on a personal device, connecting from a home network. None of these complex security operations are performed where they should be — the browser — where the encryption handshake between client and server occurs.

What tool should know whether or not the requested URL agrees with organizational policy? The browser.

What tool should determine if the reply data has malware or other harmful content? The browser.

What tool should identify whether an uploaded file is a violation of company policy because of the destination, data contents, or other characteristics? The browser.

What tool spans across all of the devices a user might have or want to use whether a laptop, tablet, or smartphone? The browser.

And yet, what consumer browser allows policies to be centrally managed to create and enforce these protections without spending millions of dollars on other tools that literally require a technique that we would otherwise classify as a malicious man-in-the-middle attack? None.

Which browser should you consider as part of your modern toolset to increase productivity, improve user experience, and reduce complexity without sacrificing security controls? 

Island. The Enterprise Browser. Sometimes changing one thing changes everything.