Saturday, October 3, 2009

They Don't Stand a Chance

The average web browsing user still has a 60+% chance of surfing with Internet Explorer (IE) ... worse yet, there is a 1 in 4 chance that the same user is using Internet Explorer 6 -that's the reality we live in. Why is this so bad? Internet Explorer 6 is widely known to have more holes than Swiss Cheese and came from a simpler time ... back when surfing sites didn't give you diseases.

But I digress ...

The end-user is in serious trouble ladies and gentlemen. There are more malicious sites that stand up every day than legitimate ones, and even a seasoned [security] veteran often can't tell the difference between a malicious site and a legitimate one without a deep-dive into the code. While malware and site hacks have gone nuclear and are evolving at an incredible rate the technology with which the average Joe the plumber surfs the web is even remotely keeping up. This creates a serious problem for those average users, and even the security-conscious user.

Let's take a best-case scenario, which we can all acknowledge is a rare thing ... maybe somewhere around 1% of all users - the security-conscious end-user. The security-conscious end-user will be careful what sites they visit, notice pop-ups, scare-ware, and may even be surfing with the latest FireFox build with NoScript updated and running. What if even this user profile is still infected with malware?? Impossible you say?

What if a super-popular, commercial website like FoxSports could get infected with something nasty? Worse yet ...what if someone dropped an iFrame into's site to re-direct you to somewhere that would be silently and transparently serving up malware? Sure, NoScript would catch that right? Not if you're trusting a site like ... and why would you not?

So now we have a worst-case scenario that's playing out every hour of every day. Public, commercial web sites are infected with who-knows-what types of malware and even the best defenses against these attacks fail because they aren't "smart enough" to protect the user.

What we have is a combination of poor web site design, poor browser design, poor end-user education, and security protections that are simply not usable in an every-guy kind of way. What's the typical web browsing user to do? They don't stand a chance!

There is a remedy though, but it involves a chain-reaction of responsibility and security effectiveness...
  • Sites must do better at securing their content ... this won't happen until people publicize their failures and hold the owners accountable. Can you sue a site owner like Fox if your computer gets infected with some malware that cleans out your bank account?
  • Layered defenses must be in place such as ...
  • Regular site security scans (looking for vulnerabilities)
  • Network-based web site attack defenses (if you want to call them WAFs...)
  • Expanded use of malicious site content checkers (like the Google Safe-Browsing API)
  • End-users must be educated more on the dangers of simply surfing to a known, public website and how that can impact them
  • Browsers, OSes, and applications must build auto-update mechanisms into their code that is enabled by default to protect clueless users from their own ignorance
Meanwhile, those folks that are still using IE6 (or other out-of-date) browsers should be redirected to an update page on Microsoft's site ... I think if the owners and operators of some of the more popular Internet sites got together and agreed to disallow anything other than the most current browsers and simply show a warning page with links to download updates ... the world would become a much safer place.

What am I advocating? Cooperation. I am advocating an open project where we design a single "Browser Warning!" type page and get the top sites to start implementing it for when-ever someone hits them with an out-of-date browser. This is a huge problem friends ... who's with me?


Anonymous said...

agreed but easier said than done. its like the green effect. it would require massive cooperation, and most are too uneducated to see the gain or worth in putting effort into security.

ghostnomad said...

I think you have some really good thoughts on moving towards a more secure browsing experience. It is not unheard of to force people to upgrade their browsers. If memory serves me correctly, back when IE6 came out many of the e-commerce and financial sites forced users to upgrade for security reasons. That said, for sites that don't require secure browsing you find yourself in a rock and hard place situation. If one site does what you suggest and their competitors do not, you just force consumers of your content away. In the end, if a user gets infected they will not know which site is the culprit, thus saving the offender from the users’ wrath.

The key to forcing upgrades to browsers is to again have e-commerce and financial sites not allow less secure browsers, which in the end will force the majority of the browser users to move off vulnerable platforms. For the parts of your solution that lie in the hands of web content owners, until there are consequences for poor web design there will be little incentive to improve. In the physical world there is the concept of strict product liability. Perhaps such a hammer needs to be wielded in the digital world (if there already is pardon my ignorance.) I like the ideas you present and can only hope the solution comes sooner than later.