OK re per-contact-site isolation.... Now, demote "kernel" to "services" and look to hypervisor+qrexec as the actual kernel.
Conversation
There are implementations of fine-grained isolation within applications using different mechanisms than OS sandboxing. Architecture-level virtualization is one possible approach and has pros / cons, as do other approaches like a higher-level virtual machine, etc.
1
1
The isolation between sites in a browser or contacts in a messaging app are good examples of existing fine-grained trust boundaries to reinforce. There are a lot of other examples and reinforcing those can improve security for a billion users with no more work on their part.
2
IDK if that's literally true. The move to https was itself a form of site isolation & industry was tinkering with hiding URLs altogether when they did about-face out of necessity. We might not have Chrome internal isolation today if not for trend reinforcing site identity in UI.
3
Representation of https became weaker (location semantics "scare" users!) in browser UIs before they became stronger. Location bar became explicitly a part of security context, lock icons returned, plus EV certs and domain highlighting.
1
You sound like me 12 years ago. ๐ Seriously, https (and EV) are valuable for some threat models. And they can be subverted. My mention of them was not intended to promote them as "only identity that ever worked", etc. Its just an example of isolation in the UI.
1
HTTPS is obviously valuable. EV doesn't accomplish the intended purpose because company names aren't unique and positive security indicators are near universally ignored by users. If a user doesn't change their behavior based on it being missing, it accomplishes nothing.
1
Twitter uses EV which generally shows up as "Twitter, Inc. [US]". It's possible to register another company in a different state with the same identity. It would need to show state to be unique. No significant portion of users will notice EV is missing or act differently anyway.
1
Chrome is removing the positive security indicators and other browsers are likely to follow: blog.chromium.org/2018/05/evolvi. It doesn't actually work properly.
EV is already not shown on mobile. iOS recently stopped because what they did was actively harmful: troyhunt.com/extended-valid.
1
Chrome on Android never showed EV in the first place. Positive security indicators are misleading (the connection from browser to an end point is secured, not the site) and the expectation that people notice absence of a security indicator is a backwards way to do it.
The browser can accurately say "not secure" but marking phishing sites as "secure" due to using HTTPS is not exactly helpful. EV can also be harmful because it doesn't match expectations: typewritten.net/writer/ev-phis. Someone can get a VALID "Twitter, Inc. [US]" EV certificate.