Monday, August 4, 2008

Safe browsing - Websense says fuggetaboutit!

It would sure be nice if an ordinary mortal could buy a computer, plug it in, and safely surf the web. Websense doesn't think so. I don't either. Apparently neither does CNN.

According to Websense:
  • 75 percent of Web sites with malicious code are legitimate sites that have been compromised [...]
  • 60 percent of the top 100 most popular Web sites  have either hosted or been involved in malicious activity in the first half of 2008.
Ordinary precautions, like 'don't surf pr0n' , 'don't run P2P', and 'don't download screen savers' are of marginal value when legitimate web sites are part of the malware content distribution network.   

It's 2008. So now that we have the wonderful world of Web 2.0, Websense says:
The danger is that users typically associate the content they are viewing from the URL in the address bar, not the actual content source. The URL is no longer an accurate representation of the source content from the Web page.
(Emphasis is mine.)
So even the wise old advice of simply making sure that you pay attention to your address bar is of limited value. Your address bar is really just he starting point for the adventure that your Web 2.0 browser will take you on without your knowledge or consent.

Obviously it is true that some people, some of the time, can surf the web with a mass produced, default installed operating system and browser. But for the general case, for most users, that's apparently not true.

One of my security mantras is 'if it can surf the web, it cannot be secured'. In my opinion, if your security model assumes that desktops and browsers are secure, your security model is broke. You still need to do everything you can to secure your desktops and browsers, but at the end of the day, after you've secured them as best as they can be, you still need to maintain a healthy distrust toward them.

Of course when security vendors report on the state of security, we need to put their data into the context of the increase revenue they see when everyone panics and buys their product.

(via Zdnet )

2 comments:

  1. I agree; web2.0 and the volume of crap included from various domains, most of it JavaScript, means you have to trust an awful lot of different domains to browse some sites. Even major sites like Amazon will do this. And don't think for a second that the embedded content is all included via SSL...

    So yes, you can not secure something that can browse the web.

    ReplyDelete
  2. "Your address bar is really just he starting point for the adventure that your Web 2.0 browser will take you on without your knowledge or consent."

    That's a great quote. I may steal it :-)


    Really good article, and painfully true

    ReplyDelete