Don't Blame Your browser!

[Guest]

[Melih]

Here is an article published in Security Focus Don't Blame Your Browser

Hope you enjoy it

Melih

[SecurityManiac]

Nice,
Good read Melih. I totally agree with you

[grayhair]

   If one wants to take a walk one uses their feet (their browser).  The walking path might take you into the deep, dark woods (the Internet).  If your "browser" protection consists of only open-toed sandals it is likely you will stub your toes, step on sharp sticks and rocks, and a spider might bite your feet (the bad guys on the Internet).  If this happens does one curse their feet (browser)?  No, you need better protection for your body (your computer). Put some heavy boots on!  Protect yourself.

 

[DaRtH VaDeR.]

Yes, prevention is far more better than waiting for something to happen and than start acting on it...... hmmmm....... ....... True, still if programmers now start programming with security as priority 1 , people who do not completely understand the value of "prevention as the first line of defense" would benefit from the fact that programmers have made their programs with safety in mind as priority 1. True, this does not guarantee 100 % safety, but what can guarantee that?, we all are humans after all.....

[LeoniAquila]

But m00nbl00d (and Melih), it's difficult to draw the line, isn't it. The internet is not a normal road, it's rather a mine field. Does that mean we need tanks? Furthermore, if we're talking browsers, what should you include? Antivirus?

I think makers of browsers should strive for secure and preventive browser, to some extent. However, we can't put everything there... browsers are made for browsing (yes, preferrably secure) but not really protecting the whole system.

Difficult indeed!

[Melih]

Actually, I don't agree.
I'll give an example, by making an analogy with cars (it seems it's fashion these days...).

I'm a car manufacturer. I build cars, obviously. Cars are meant to take people from point A to B and/or C, etc.
As a car manufacter, don't I have the obligation to make the car as safe as possible? And I'm not talking about placing seat-belts or airbags. The car, itself, needs to offer security. Needs to be stable. The less "buggy" possible.

We could say that the seat-belts and airbags are the antiviruses, etc. The car, itself, is the browser.

Do I have the right to neglect the car security factor, just because it is a mean to take people from point A to B? That's what a car is meant to do. Not to offer security.

Just because a brower is a way for people finding information (and not only), that doesn't mean that the browser doesn't have to be secure.

Do you guys imagine if cars manufacturers start to neglect the car security factor, just because there are airbags and seat-belts, which, in this care, are the means to offer the security?

Other example. An alpinist. The guy goes to climb a mountain. Takes all the stuff. The rope and all the material start to break as he climbs. The guy gets hurt or worse.
Not the manufacturers fault? Maybe not. After all, their job is to make something to allow people to climb. If it has quality or not... is another question. Now imagine everything is like that.


Regards

who do you think car manufacturers turn to in order to have a better lock, better security for their users? Car manufacturers don`t have the best locks, they buy it in. They don`t have a lock manufacturing facility or a facility to do the R&D about the best lock etc.
Unlike Cars, computers do not need all embedded (eg: it would be difficult for user to add security to a car like changing locks etc hence car manufacturers has to provide it all in one go).

Melih

[LeoniAquila]

I believe you totally misunderstood my post. When I meant cars security, I never had in mind locks.

Read again, and then repost.


Regards

As for cars, I believe you refer to safety rather than security?

[eXPerience]

Actually, I don't agree.
I'll give an example, by making an analogy with cars (it seems it's fashion these days...).

I'm a car manufacturer. I build cars, obviously. Cars are meant to take people from point A to B and/or C, etc.
As a car manufacter, don't I have the obligation to make the car as safe as possible? And I'm not talking about placing seat-belts or airbags. The car, itself, needs to offer security. Needs to be stable. The less "buggy" possible.

We could say that the seat-belts and airbags are the antiviruses, etc. The car, itself, is the browser.

Do I have the right to neglect the car security factor, just because it is a mean to take people from point A to B? That's what a car is meant to do. Not to offer security.

Just because a brower is a way for people finding information (and not only), that doesn't mean that the browser doesn't have to be secure.

Do you guys imagine if cars manufacturers start to neglect the car security factor, just because there are airbags and seat-belts, which, in this care, are the means to offer the security?

Other example. An alpinist. The guy goes to climb a mountain. Takes all the stuff. The rope and all the material start to break as he climbs. The guy gets hurt or worse.
Not the manufacturers fault? Maybe not. After all, their job is to make something to allow people to climb. If it has quality or not... is another question. Now imagine everything is like that.


Regards

You're actually making wrong analogies and you're pulling the things out of the context.

Browsers are made to browse. Pretty simple, of course they're made so safe as possible. But the original defender must be the security products. Of course that's a little old-fashioned. I mean, it's the same as using detection instead of prevention. In both things, technology advanced . It's normal that browsers are made with security packets in them, but that's not their main goal. They're create so you can go on the internet !

With your example of the car :

You made the car the browser, it's not. The car is the internet. The seats, motor, ... are the browser. They just drive you from point A to point B. But what's the safety then ? As you said: the seat-belts and airbags. But is that all ? No, you need decent tires, a good road, and go on. Those are the security factors, but they're all out of control of the Car manufacturer. I mean, they don't create them, they buy them. It's the task of the safety manufacturer to make the car as safe as possible, it the task of the car manufacturer to make the car as fast as possible ! It's the same with browsers !

Xan

[eXPerience]

Yes, browsers are meant to browse. Have you seen me mentioning otherwise?

What I said, is that, the security factor, cannot be neglected.

True, but that's not the first priority ! Or at least it mustn't be. Do you think that people will use your browser just because it's safe, but slower than Internet explorer 2 ? Nope, they'll go to other browsers... So speed is N

[WaterWall]

They will go to other browsers, because they too offer decent security. But if you have to choose between ultra fast, but super insecure browser and not as fast, but very secure, which one would you pick ?

[eXPerience]

Ultra fast, I don't care about security, I like to be infected 

Xan

[DaRtH VaDeR.]

Yes, I understand the point M00nBl00d is making and I agree with him..... He is saying this, if I understand him correctly: The main goal of browser makers is not making a security application, but a program to browse the Internet and the security can be handled by security applications like CIS for example.... (that is what "others"saying"...) But that is just the point! He says the main goal should be creating a " safe" program to browse the Internet with, so in this case people who don't have CIS still will have some safety when " driving" along the virtual highway.... And I agree completely with him if that is the point he is trying to make. A few examples that is proofing that point:

* Firefox is promoting itself as the safest browser....
* Mac OS X is promoting itself as a safe alternative for Windows
* Volvo is a car manufacturer that is building cars that has a very high security standard (they build dozens of security mechanisms in to their cars)

WHY? Because SECURITY is now becoming a task of everyone.... Not only security vendors, but each one of us! From the core programmer who has security in mind as the first priority to car manufacturers who want safer cars, to os makers who want a safe operating system to browser developers who want users to browse the internet safer.

Safety is a job for everyone not only for certain parties... and this is becoming more and more clear, because the dangers of neglecting safety measures have shown us that that can have very big consequences.....

[WaterWall]

Good post Vader. 

To sum up, why should we be dependend from a security vendor to cover all the holes ?

The OS should be safe, the browser should be safe, everything should be updated to the latest versions and to strenghten all this - you install layered security application(s)

[LeoniAquila]

To sum up, why should we be dependend from a security vendor to cover all the holes ?

It's not a matter of "should", we are dependent of security vendors! Because the providers of browsers, OSs etc. will always miss things... so security vendors do their best to cover that.

[eXPerience]

Guys, you miss the essence of the whole article.

It's about this  (I think) : Browsers can protect you, they will release patches etc, to protect you, but in the end, as LA says so nice : You still are dependant of security vendors.
I just donwloaded a new rogue, I mean, does Opera stop me from doing that ? Nope, why not ? Well, because it's not created to do that. It could prevent me from a buffer overflow, when it's patched, but then just a new will come out...

Xan

[Tags:]