Regardless of the installation method it sounds like we need to be running all applications in their own individual virtual machines (e.g. Qubes OS) or within a restricted environment with limited permissions (iOS)

How do you install the virtual machine software ? Where do you put the trust ?

Worse, what happens when I do want the applications to communicate?

An amusing gotcha I found with docker was how do I convince the servers I communicate with from in the container that I am me? Best bet was to map my user into the user on the container, but that was actually ridiculously fraught with trouble. (There is a chance this has since been fixed...)

> I do want the applications to communicate?

QubeOS adopted the "manual authentication" method (of having to confirm everything, such as clipboard copy/paste).

This is probably not quite scalable (not to mention annoying). May be there's some way to have a short session token, so during a work session of a few hours, it works without any intervention.

The problem came when I wanted the app to communicate to another on behalf of me. Do I have to constantly reconfigure an openid connection for every app on my machine? (Not the worst of ideas, I suppose...)

While password based phishing might have been stopped by U2F it still leaves Gmail accounts vulnerable to OAuth phishing attacks which can be just as devastating.

This should also help put an end to cross domain search timing attacks. An old example of one using the IMG tag:

https://www.idontplaydarts.com/2015/09/cross-domain-timing-a...

But chrome doesn't see the content type until after the response is served.

No, it sees the content type in the headers that are at the start of the response. Presumably if that header isn't correct it'll stop downloading any further data.

After Lucene has spent some variable amount of time depending on how many documents match the query...

Its not just Google, Microsoft Office 365 also supports the use of Oauth tokens to read email.

They look everywhere, I think its a case of survivor bias where we only see when they succeed (via published bugs). We don't hear about the thousands of times that they failed to find anything.

This. Very much this. It also depends on the scope.

Eventually you'll find something if you're auditing a product, because you'll start at the application interface layer and work your way down.

No issues with the design of the application (this is end-game 50-75% of the time)?

OK, what about the libraries you've used.

OK, what about the framework you've built on.

OK, what about the web server you're running.

OK, what about other services on the web server you're running.

OK, what about the operating system you're running.

OK, what about the people who administrate the services you're running (this is usually end-game 98% of the time - it's the "auto-win" card if it's in-scope).

And all between the above, you can leverage different holes you found to find more holes in the previous and future steps you've taken.

You're right about one thing (they look everywhere) albeit I'm afraid that the cases where they don't find anything are in the minority.

They probably find always anything, but mostly not something very interesting or severe.

The google queries for "roll a dice" and "flip a coin" aren't actually random either. They seem to be based off the current time.

Could you add a lot more detail than just a blank statement like this?