Monday, May 18, 2009

Slides from CSI/SX 2009 Posted!

Hi all, ahead of my talk at the CSI/SX 2009 event I wanted to post my slides for you.  It's a short deck that does much better, I think, in person than what the slides show - but I hope it conveys my point.  Essentially - it's a rant against the really crappy state of web browser security.

I'll post a text version of this hopefully soon, maybe I'll write it on the plane ride home tomorrow - but for now, here are the slides!  As always - feedback is welcome.


Anonymous said...

I think that browser security or the lack of is just a consequence of how security works in every field.

There always have been a trade of between usability and security, there people who knows how to make things more secure but they usually don't do it to avoid problems with usability

Regarding to browsers, they didn't born in a such insecure environment as it is the web today, they were born as a utility to help users reach information in some far away place, the same applies to technologies like http or even tcp/ip, people know now they aren't the most secure but when they were born, security wasn't something to consider

Given the history of browsers, users started to get used to some features, more precisely some functionalities, and I think that this is one of the reasons why it is not so easy to make browsers secure, if you add security is likely you'll be reducing usability but users are used to that usability

Market shares I think the play a role in this, companies don't want to loose usability in their products so they don't loose users

Regarding browser extensibility my biggest concern is the lack of audit from security vendors with thirdly party add-ons/plugins. Mozilla for example, they don't audit every add-on someone else made, nor I think they plan to do so in the future, and this is a point where while extensibility is a good thing, the lack of having a secure standard about the code used to extend some functionality is a very bad thing

Will vendors should start implementing security despite loosing some usability? will they be able someday to find a middle ground between usability and security? will users ever learn that security is something missing in their day to day applications?

I really hope that such a day comes...

Rafal Los said...

@Anonymous - excellent reply, thanks for the well-thought-out response!

Next time, please register so we know who you are and can give you proper credit!

uid0 said...

bah no need for credits, I haven't said anything new, maybe this is the thing that worries the most ;)

Many people have said the same thing over and over but at some point it seems everyone comes to the same conclusion, there's no easy way to fix things that have been done wrong for so long

One thing that I thought while I was reading your slides and came to that it says that every browser vendor say their browser is the most secure was how badly such statements are fooling users

Browser vendors know their browsers are not secure despite the fact that the technologies where browsers work upon aren't secure either

Security companies, consultants, evangelist and the like also know that browsers aren't secure

so why still we see vendors saying the browsers are secure? this is a very bad advertisment which only leeds users to have that false sense of security. "You can feel secure but that doesn't mean you are"

A debatible point is that one browser might be more secure that other but as you correctly point out in one of your slides, every single browser today still suffers from the most basic flaws

Is it something to be concerned about? surely is and I think that today is more true than before, right now almost everything is done from a browser and things like cloud computing for instance is a sign that this won't change anytime soon

Anyway, great slides, keep it up ;)