I'll post a text version of this hopefully soon, maybe I'll write it on the plane ride home tomorrow - but for now, here are the slides! As always - feedback is welcome.
Monday, May 18, 2009
Slides from CSI/SX 2009 Posted!
Hi all, ahead of my talk at the CSI/SX 2009 event I wanted to post my slides for you. It's a short deck that does much better, I think, in person than what the slides show - but I hope it conveys my point. Essentially - it's a rant against the really crappy state of web browser security.
Subscribe to:
Post Comments (Atom)
3 comments:
I think that browser security or the lack of is just a consequence of how security works in every field.
There always have been a trade of between usability and security, there people who knows how to make things more secure but they usually don't do it to avoid problems with usability
Regarding to browsers, they didn't born in a such insecure environment as it is the web today, they were born as a utility to help users reach information in some far away place, the same applies to technologies like http or even tcp/ip, people know now they aren't the most secure but when they were born, security wasn't something to consider
Given the history of browsers, users started to get used to some features, more precisely some functionalities, and I think that this is one of the reasons why it is not so easy to make browsers secure, if you add security is likely you'll be reducing usability but users are used to that usability
Market shares I think the play a role in this, companies don't want to loose usability in their products so they don't loose users
Regarding browser extensibility my biggest concern is the lack of audit from security vendors with thirdly party add-ons/plugins. Mozilla for example, they don't audit every add-on someone else made, nor I think they plan to do so in the future, and this is a point where while extensibility is a good thing, the lack of having a secure standard about the code used to extend some functionality is a very bad thing
Will vendors should start implementing security despite loosing some usability? will they be able someday to find a middle ground between usability and security? will users ever learn that security is something missing in their day to day applications?
I really hope that such a day comes...
@Anonymous - excellent reply, thanks for the well-thought-out response!
Next time, please register so we know who you are and can give you proper credit!
bah no need for credits, I haven't said anything new, maybe this is the thing that worries the most ;)
Many people have said the same thing over and over but at some point it seems everyone comes to the same conclusion, there's no easy way to fix things that have been done wrong for so long
One thing that I thought while I was reading your slides and came to that it says that every browser vendor say their browser is the most secure was how badly such statements are fooling users
Browser vendors know their browsers are not secure despite the fact that the technologies where browsers work upon aren't secure either
Security companies, consultants, evangelist and the like also know that browsers aren't secure
so why still we see vendors saying the browsers are secure? this is a very bad advertisment which only leeds users to have that false sense of security. "You can feel secure but that doesn't mean you are"
A debatible point is that one browser might be more secure that other but as you correctly point out in one of your slides, every single browser today still suffers from the most basic flaws
Is it something to be concerned about? surely is and I think that today is more true than before, right now almost everything is done from a browser and things like cloud computing for instance is a sign that this won't change anytime soon
Anyway, great slides, keep it up ;)
Post a Comment