Homogeneity and Concentration in the Browser

Web browsers are the gateway to the internet. As browser developers replicate design features and concentrate around shared underlying technologies, they create cybersecurity risks with the potential to impact many internet users at once.

Homogeneity and Concentration in the Browser

Share this story
THE FOCUS

Web browsers serve as the gateway to the internet, offering users the ability to easily access and navigate information online. Whether operating on a desktop computer or a smartphone, the core task of a browser is simple: locate, retrieve, and display web pages and their contents. For many people, the browser-rendered interface—complete with an address bar, tabs, and a bookmark menu—is synonymous with the internet itself.

Browsers routinely retrieve information from a wide array of sites, many of which are unsecure or unvetted, creating inherent security risks to their operation. Browser security is of utmost importance because people rely on browsers to be able to connect to the internet and its myriad services. If a major browser ceased to function, millions of people would be unable to access email, search engines, online banking, social media, and many other services and content. Yet, browser security is complex and often insufficiently discussed.

Cybersecurity flaws can enable attackers to steal information stored within the browser, such as session cookies that provide access to online accounts where a user is automatically logged in. More dangerous software flaws can potentially allow an attacker to escape the browser and directly access the device running the software, whether it be a personal smartphone or a company workstation. While no consumer-facing technologies will ever be perfectly secure, browsers’ ubiquity and importance make them attractive targets for hackers looking to reach a wide swathe of potential targets. Even more strikingly, due to a highly concentrated browser market, attackers need only target a few select software programs to maximize their impact.

When users are tasked with downloading a web browser—or are provided a pre-installed browser on their device—there are not many options to choose from. Due to a variety of factors, the world’s most popular browsers are manufactured by a small group of companies. Google’s Chrome dominates the browser market, representing more than half of users worldwide.1“Top Browsers Market Share,” similarweb.com, accessed August 3, 2023, https://www.similarweb.com/browsers/. Apple’s Safari ranks second, with a quarter of users. Other browsers, such as Microsoft’s Edge and Mozilla’s Firefox, each account for less than 6 percent of users.

On top of this market concentration, browsers are also relatively homogeneous in their technical designs. Each browser must integrate with languages and technologies that make up web pages, creating design pressures that move them toward certain shared technologies and, thus, shared risk. Furthermore, when a new feature or design element of one browser is successful, there is a tendency for other browser developers to replicate it to remain competitive. Features that were once a company’s unique innovation, like browser extensions, often become standard across the industry, generalizing both their security advantages2Lily Hay Newman, “Even the NSA and the CIA Use Ad Blockers to Stay Safe Online,” Wired, September 25, 2021, https://www.wired.com/story/security-roundup-even-cia-nsa-use-ad-blockers/. and disadvantagesRavie Lakshmanan, “Malicious Browser Extensions Targeted Over a Million Users So Far This Year,” The Hacker News, August 17, 2022, https://thehackernews.com/2022/08/malicious-browser-extensions-targeted.html across the ecosystem. While user interface design choices are the most visible to consumers, design homogeneity also exists in the foundational technologies that enable browsers to work. For example, Google Chrome’s functionality is built on Chromium, a free and open-source software project. Given Chromium’s high performance and ease of use, a range of other browsers including Microsoft Edge, Opera, and Yandex Browser have also adopted it. Whether a user is browsing the web on Chrome or another platform, there is a high probability that Chromium is operating behind the scenes, leading to a worldwide web-browsing ecosystem that is heavily dependent on the standards and architectural norms of a singular company, Google, which maintains the project.

This homogeneity in browsers—where consumers only use a few products, each of which are powered by shared or similar technologies—means that sources of insecurity can impact many users at once. The fact that browsers are one of the most-used consumer-facing technologies makes this systemic set of security problems significant.

Homogeneity, Concentration, and Risk

Homogenous design can have both positive and negative implications for browser security and cyber risk. For example, design homogeneity can increase the pressure for new entrants or outlier competitors to adopt others’ positive security features—for example, many browsers now insert a logo beside the URL bar to indicate that a website connection is HTTPS encrypted. New entrants, to make their product familiar to users, are likely to mimic the feature, which subsequently lets new users of that browser easily understand how to spot an insecure connection. Browser developers would certainly also argue that their greater market share enables greater investments in security because they have the resources to maintain large and well-resourced security teams. If there were hundreds of browsers that each controlled a small percentage of the browser market, each browser company might have a smaller budget for security and less technical expertise at its disposal.

Simultaneously, homogeneity in browser usage and design can concentrate risk. Single point-of-failure risk in the cybersecurity market is not a new idea. For example, when the Meltdown CPU vulnerability was discovered in 2018, millions of devices were exposed because they all used Intel CPUs, or central processing units.3Thomas Brewster, “Massive Intel Vulnerabilities Just Landed — And Every PC User On The Planet May Need To Update,” Forbes, January 3, 2018, https://www.forbes.com/sites/thomasbrewster/2018/01/03/intel-meltdown-spectre-vulnerabilities-leave-millions-open-to-cyber-attack/?sh=664492163932. Daniel Geer and colleagues’ 2003 paper, “CyberInSecurity: The Cost of Monopoly” was a foundational work on this issue, looking at product monoculture, Microsoft’s market dominance, and the resulting effects on cybersecurity and national security.4Dan Geer et al., CyberInSecurity: The Cost of Monopoly, Computer & Communications Industry Association, September 2003, http://www.ccianet.org/wp-content/uploads/2003/09/cyberinsecurity%20the%20cost%20of%20monopoly.pdf. Because most computers at the time ran Microsoft Windows, the authors argued, “most of the world’s computers [were] vulnerable to the same viruses and worms at the same time.”5Greer et al., 2003 Microsoft, they continued, made this worse by locking users into its platform through network effects (like the power of owning Microsoft Word) and making it difficult to exchange data, documents, and other information outside the Microsoft product ecosystem.6Greer et al., 2003 The result, Geer and coauthors wrote, was a “monoculture of networked computers” that were “a convenient and susceptible reservoir of platforms from which to launch attacks” that can cascade to other parts of the ecosystem.7Greer et al., 2003 Governments should intervene to “blunt the monoculture risk,” enforce diversity of platforms, and “reap a side benefit of increased market reliance on interoperability” instead of product lock-in.8Greer et al., 2003

Bruce Schneier, one of the coauthors, wrote a follow-up essay in 2010—responding to criticism from computer security researcher Marcus Ranum who said, while he agreed with many of the study’s conclusions, the use of “monoculture” was “distorting the truth by using an analogy.”9Marcus Ranum, “The Monoculture Hype,” ranum.com, accessed September 26, 2022, http://www.ranum.com/security/computer_security/editorials/monoculture-hype/index.html No monoculture exists, Ranum wrote, when so many different firewall rules, software patch levels, browser settings, and other factors inform a device’s security alongside the use of a particular platform like Microsoft Windows.10Ranum, 2022 Some of the debate focused on the analogy of a monoculture, in the biological sense of the word, and Schneier said there were flaws in the monoculture analysis, such as downplaying the costs of maintaining security in the face of product diversity.11Bruce Schneier, “Software Monoculture,” Schneier on Security, December 1, 2020, https://www.schneier.com/blog/archives/2010/12/software_monocu.html Schneier also reiterated that “if everyone is using the same operating system or the same applications software or the same networking protocol, and a security vulnerability is discovered in that operating system or software or protocol, a single exploit can affect everyone.”12Schneier, 2020 Whether “monoculture” was the right analogy or not, the discussion around it underscored concern about vulnerabilities in a single, dominant product cascading widely.

Mozilla published a paper in September 2022 related to this notion of market dominance leading to internet risk—broadened beyond just one company. It noted there are “only three main browser engine providers left,” Google, Apple, and Mozilla, but “Apple’s engine only runs on Apple devices.”13Gemma Petrie, Mika Shah, Kush Amlani, Five Walled Gardens: Why Browsers are Essential to the Internet and How Operating Systems are Holding Them Back, Mozilla, September 2022, https://research.mozilla.org/browser-competition/5wg/ Without Mozilla, it said, Google would be the only device-agnostic provider available, creating a single point of failure in the ecosystem.14Petrie, Shah, and Amlani, 2022 The study argued that when operating systems load their proprietary browsers onto their devices (like Apple with Safari), it harms consumers in several ways: limiting consumers’ choices; lowering product quality (because companies need not compete on quality, but instead only leverage their dominance); decreasing innovation (as disruptive competitors struggle to get foothold); harming privacy; and forcing consumers into unfair contracts.15Petrie, Shah, and Amlani, 2022 Put simply, “without browser diversity, a single company’s influence can shape the internet.”16Petrie, Shah, and Amlani, 2022 This statement could be modified to emphasize that without product diversity in the browser vertical, only a few companies can drive security decisions for billions of internet users.

The point is not that people should use less popular products under the assumption that they are less frequently attacked.17Roger A. Grimes, “Don’t fall for the monoculture myth,” CSO Online, April 24, 2009, https://www.csoonline.com/article/2632142/don-t-fall-for-the-monoculture-myth.html Instead, it is that companies that dominate a product vertical impact many people with their security decisions. That comes with a certain leverage over the online ecosystem. Said companies also pose a risk of a cascading security event, where a vulnerability in just one product is discovered and exploited to impact millions of people at once.

If multiple companies converge around the same product design—which we call design homogeneity—products created by different manufacturers can have many design and technical similarities. Then, these products can replicate faulty design decisions or vulnerabilities across the internet ecosystem. As Dan Geer put it, “when deployment is wide enough, it takes on the misfeatures of monoculture18Dan Geer, “Heartbleed as Metaphor,” Lawfare, April 21, 2014, https://www.lawfaremedia.org/article/heartbleed-metaphor The HeartBleed vulnerability in 2014 underscored this problem. It was a significant flaw in the OpenSSL encryption technology deployed widely across websites; attackers could exploit that single flaw to trick a server into divulging secure information.19Timothy B. Lee, “The Heartbleed Bug, explained,” Vox, May 14, 2015, https://www.vox.com/2014/6/19/18076318/heartbleed Hundreds of thousands of major websites used the OpenSSL technology20Lee Rainie and Maeve Duggan, “Heartbleed’s Impact,” Pew Research Center, April 30, 2014, https://www.pewresearch.org/internet/2014/04/30/heartbleeds-impact/2/ and—despite using different webhosts and having other variations—immediately became vulnerable to attacks, against which both they and their website visitors had to update to protect. In another example, many browsers allow (or even prompt) users to store their passwords directly in the browser. While this feature is convenient and widespread, it can also leave users vulnerable to information-stealing malware.21Bill Toulas, “RedLine malware shows why passwords shouldn’t be saved in browsers,” Bleeping Computer, December 28, 2021, https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/; “Redline Stealer Targeting Accounts Saved to Web Browser with Automatic Login Feature Included,” ASEC, December 28, 2021, https://asec.ahnlab.com/en/29885/. This design decision, a potentially improper prioritization of usability over security, has thus replicated beyond one company or browser.

Browsers are subject to this market concentration, homogenous design, and cascading insecurity risk. One can easily imagine an attack targeting the Chrome browser that could render roughly 60 percent of internet users unable to use their primary browser. Yes, it is likely that users have a backup browser installed, but even that backup browser could be subject to similar insecurities due to design homogeneity. For example, if an attack targeting Chrome did not exploit a vulnerability in code unique to Chrome but instead targeted Chromium, the system used by Chrome and many other major browsers, the compromise’s impact could be even more widespread. Such an attack could affect everything from Microsoft’s Edge browser to the Russian internet giant’s Yandex Browser.

It’s not just Chromium. Because of the nature of the internet, browsers often face concentrated risks arising from the need to interpret or integrate common website technologies. For example, JavaScript (JS) is a primary method through which web developers build interactive applications, and Google’s V8 JS engine enables all Chromium-based browsers to execute JS code. As a result, V8 has set global technical norms for how browsers compile and interpret JS. With attackers frequently launching JavaScript-based attacks,22Liam Tung, “Bugs in Chrome’s JavaScript engine can lead to powerful exploits. This project aims to stop them,” ZDNet, August 3, 2021, https://www.zdnet.com/article/bugs-in-chromes-javascript-engine-can-lead-to-powerful-exploits-this-project-aims-to-stop-them/. and the V8 engine having historically been the location of memory-based security vulnerabilities,23Peter Pflaster, “Type Confusion Vulnerability in Chrome V8 Javascript,” Automox, March 28, 2022, https://www.automox.com/blog/type-confusion-vulnerability-in-chrome-v8-javascript; “Vulnerability of Chrome: memory corruption via V8 Type Confusion,” Vigilance Vulnerability Reports, accessed August 1, 2023, https://vigilance.fr/vulnerability/Chrome-memory-corruption-via-V8-Type-Confusion-38089. the convergence of a singular JS engine to power the entire web-browsing ecosystem poses a systemic risk. Another historical example is Adobe Flash, which was the default tool for rendering dynamic content across browsers for decades. Before it was discontinued in 2020, hundreds of vulnerabilities were disclosed every year and the tool was considered a major source of browser insecurity.24Jon Watson, “What makes Flash so insecure and what are the alternatives?” Comparitech, August 22, 2018, https://www.comparitech.com/blog/information-security/flash-vulnerabilities-security/; “Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products,” U.S. Cybersecurity and Infrastructure Security Agency,, January 24, 2013, https://www.cisa.gov/news-events/alerts/2009/07/23/adobe-flash-vulnerability-affects-flash-player-and-other-adobe

Chromium’s widespread usage additionally underscores a reality of homogeneity: it is not always obvious that homogeneity is there. Users might reasonably believe they have some increased dependence on Google products when they use Google’s Chrome browser to navigate the internet, Google’s Gmail application to send email, and the Google Drive suite of products to build presentations and collaborate on work documents. However, internet users with the Microsoft Edge browser likely do not expect they are still, in part, relying on code built by Google. The same goes for individuals using Opera or Yandex Browser; this is almost certainly true in the case of Russians using Yandex’s browser software. Even if homogeneity is not obvious on the visual interface side of a browser, it may exist on the software back-end.

Conclusion

The concept of homogeneity is useful in understanding how concentrated markets and design pressures in some software areas can lead to increasingly systemic cybersecurity risk. Market pressures as well as technological realities can incentivize companies to converge on a few core technologies and designs, and major errors and failures in technology can potentially cascade across the ecosystem.

Looking ahead, policymakers working on systemic cybersecurity problems should consider how consumer-facing technologies like browsers fit into the picture alongside other critical technologies and protocols, such as internet traffic routing through the Border Gateway Protocol.25Justin Sherman, The Politics of Internet Security: Private Industry and the Future of the Web, Atlantic Council, October 5, 2020, https://www.atlanticcouncil.org/in-depth-research-reports/report/the-politics-of-internet-security-private-industry-and-the-future-of-the-web/. If browsers around the world went down, it would not break the internet (i.e., consumers could still use video chats), but it would have a substantial impact on people’s ability to send and receive information online. This is an area ripe for additional research and policy analysis.

Broadly, US and other policymakers working on competition issues should certainly consider that market concentration may have relevant implications for cybersecurity risk. At the same time, they must also acknowledge how questions of market concentration may not address other questions around the security and resilience of underlying, foundational technologies, such as Chromium or JavaScript. The offering of free and open-source software frameworks such as Chromium could benefit competition by increasing the ability of new entrants to compete while simultaneously creating single points of technological failure hidden beneath different companies and product brands. Rather than misguidedly taking this as a sign that open-source software is somehow inherently dangerous (it is not), policymakers should support more work on security for key open-source software packages through risk awareness and investment.26Stewart Scott, Sara Ann Brackett, Trey Herr, and Maia Hamin, Avoiding the success trap: Toward policy for open-source software as infrastructure, Atlantic Council, February 8, 2023,https://www.atlanticcouncil.org/in-depth-research-reports/report/open-source-software-as-infrastructure/.

As internet-based information systems become an increasingly embedded and integral part of the modern world, browsers will continue to grow in importance as a central element of internet connectivity and information sharing. Understanding and overseeing market concentration and design homogeneity to avoid creating systemic insecurities is essential for the health of the present and future internet.


The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.