But I digress ...
The end-user is in serious trouble ladies and gentlemen. There are more malicious sites that stand up every day than legitimate ones, and even a seasoned [security] veteran often can't tell the difference between a malicious site and a legitimate one without a deep-dive into the code. While malware and site hacks have gone nuclear and are evolving at an incredible rate the technology with which the average Joe the plumber surfs the web is even remotely keeping up. This creates a serious problem for those average users, and even the security-conscious user.
Let's take a best-case scenario, which we can all acknowledge is a rare thing ... maybe somewhere around 1% of all users - the security-conscious end-user. The security-conscious end-user will be careful what sites they visit, notice pop-ups, scare-ware, and may even be surfing with the latest FireFox build with NoScript updated and running. What if even this user profile is still infected with malware?? Impossible you say?
What if a super-popular, commercial website like FoxSports could get infected with something nasty? Worse yet ...what if someone dropped an iFrame into FoxSports.com's site to re-direct you to somewhere that would be silently and transparently serving up malware? Sure, NoScript would catch that right? Not if you're trusting a site like FoxSports.com ... and why would you not?
So now we have a worst-case scenario that's playing out every hour of every day. Public, commercial web sites are infected with who-knows-what types of malware and even the best defenses against these attacks fail because they aren't "smart enough" to protect the user.
What we have is a combination of poor web site design, poor browser design, poor end-user education, and security protections that are simply not usable in an every-guy kind of way. What's the typical web browsing user to do? They don't stand a chance!
There is a remedy though, but it involves a chain-reaction of responsibility and security effectiveness...
- Sites must do better at securing their content ... this won't happen until people publicize their failures and hold the owners accountable. Can you sue a site owner like Fox if your computer gets infected with some malware that cleans out your bank account?
- Layered defenses must be in place such as ...
- Regular site security scans (looking for vulnerabilities)
- Network-based web site attack defenses (if you want to call them WAFs...)
- Expanded use of malicious site content checkers (like the Google Safe-Browsing API)
- End-users must be educated more on the dangers of simply surfing to a known, public website and how that can impact them
- Browsers, OSes, and applications must build auto-update mechanisms into their code that is enabled by default to protect clueless users from their own ignorance
Meanwhile, those folks that are still using IE6 (or other out-of-date) browsers should be redirected to an update page on Microsoft's site ... I think if the owners and operators of some of the more popular Internet sites got together and agreed to disallow anything other than the most current browsers and simply show a warning page with links to download updates ... the world would become a much safer place.
What am I advocating? Cooperation. I am advocating an open project where we design a single "Browser Warning!" type page and get the top sites to start implementing it for when-ever someone hits them with an out-of-date browser. This is a huge problem friends ... who's with me?