Don't Blame Your browser!

Melih · February 9, 2009, 11:20pm

Here is an article published in Security Focus Don’t Blame Your Browser

Hope you enjoy it

Melih

SecurityAdvisor · February 10, 2009, 5:35am

Nice,
Good read Melih. I totally agree with you

grayhair · February 11, 2009, 7:30am

If one wants to take a walk one uses their feet (their browser). The walking path might take you into the deep, dark woods (the Internet). If your “browser” protection consists of only open-toed sandals it is likely you will stub your toes, step on sharp sticks and rocks, and a spider might bite your feet (the bad guys on the Internet). If this happens does one curse their feet (browser)? No, you need better protection for your body (your computer). Put some heavy boots on! Protect yourself.

(:WIN)

triple · February 11, 2009, 2:40pm

Yes, prevention is far more better than waiting for something to happen and than start acting on it… hmmmm… :THNK… True, still if programmers now start programming with security as priority 1 , people who do not completely understand the value of “prevention as the first line of defense” would benefit from the fact that programmers have made their programs with safety in mind as priority 1. True, this does not guarantee 100 % safety, but what can guarantee that?, we all are humans after all… (:WIN)

LeoniAquila · February 11, 2009, 2:51pm

But m00nbl00d (and Melih), it’s difficult to draw the line, isn’t it. The internet is not a normal road, it’s rather a mine field. Does that mean we need tanks? Furthermore, if we’re talking browsers, what should you include? Antivirus?

I think makers of browsers should strive for secure and preventive browser, to some extent. However, we can’t put everything there… browsers are made for browsing (yes, preferrably secure) but not really protecting the whole system.

Difficult indeed!

Melih · February 11, 2009, 3:00pm

m00nbl00d:

Actually, I don’t agree.
I’ll give an example, by making an analogy with cars (it seems it’s fashion these days…).

I’m a car manufacturer. I build cars, obviously. Cars are meant to take people from point A to B and/or C, etc.
As a car manufacter, don’t I have the obligation to make the car as safe as possible? And I’m not talking about placing seat-belts or airbags. The car, itself, needs to offer security. Needs to be stable. The less “buggy” possible.

We could say that the seat-belts and airbags are the antiviruses, etc. The car, itself, is the browser.

Do I have the right to neglect the car security factor, just because it is a mean to take people from point A to B? That’s what a car is meant to do. Not to offer security.

Just because a brower is a way for people finding information (and not only), that doesn’t mean that the browser doesn’t have to be secure.

Do you guys imagine if cars manufacturers start to neglect the car security factor, just because there are airbags and seat-belts, which, in this care, are the means to offer the security?

Other example. An alpinist. The guy goes to climb a mountain. Takes all the stuff. The rope and all the material start to break as he climbs. The guy gets hurt or worse.
Not the manufacturers fault? Maybe not. After all, their job is to make something to allow people to climb. If it has quality or not… is another question. Now imagine everything is like that.

Regards

who do you think car manufacturers turn to in order to have a better lock, better security for their users? Car manufacturers dont have the best locks, they buy it in. They dont have a lock manufacturing facility or a facility to do the R&D about the best lock etc.
Unlike Cars, computers do not need all embedded (eg: it would be difficult for user to add security to a car like changing locks etc hence car manufacturers has to provide it all in one go).

Melih

LeoniAquila · February 11, 2009, 3:45pm

As for cars, I believe you refer to safety rather than security?

alaertsxan · February 11, 2009, 3:55pm

m00nbl00d:

Actually, I don’t agree.
I’ll give an example, by making an analogy with cars (it seems it’s fashion these days…).

I’m a car manufacturer. I build cars, obviously. Cars are meant to take people from point A to B and/or C, etc.
As a car manufacter, don’t I have the obligation to make the car as safe as possible? And I’m not talking about placing seat-belts or airbags. The car, itself, needs to offer security. Needs to be stable. The less “buggy” possible.

We could say that the seat-belts and airbags are the antiviruses, etc. The car, itself, is the browser.

Do I have the right to neglect the car security factor, just because it is a mean to take people from point A to B? That’s what a car is meant to do. Not to offer security.

Just because a brower is a way for people finding information (and not only), that doesn’t mean that the browser doesn’t have to be secure.

Do you guys imagine if cars manufacturers start to neglect the car security factor, just because there are airbags and seat-belts, which, in this care, are the means to offer the security?

Other example. An alpinist. The guy goes to climb a mountain. Takes all the stuff. The rope and all the material start to break as he climbs. The guy gets hurt or worse.
Not the manufacturers fault? Maybe not. After all, their job is to make something to allow people to climb. If it has quality or not… is another question. Now imagine everything is like that.

Regards

You’re actually making wrong analogies and you’re pulling the things out of the context.

Browsers are made to browse. Pretty simple, of course they’re made so safe as possible. But the original defender must be the security products. Of course that’s a little old-fashioned. I mean, it’s the same as using detection instead of prevention. In both things, technology advanced . It’s normal that browsers are made with security packets in them, but that’s not their main goal. They’re create so you can go on the internet !

With your example of the car :

You made the car the browser, it’s not. The car is the internet. The seats, motor, … are the browser. They just drive you from point A to point B. But what’s the safety then ? As you said: the seat-belts and airbags. But is that all ? No, you need decent tires, a good road, and go on. Those are the security factors, but they’re all out of control of the Car manufacturer. I mean, they don’t create them, they buy them. It’s the task of the safety manufacturer to make the car as safe as possible, it the task of the car manufacturer to make the car as fast as possible ! It’s the same with browsers !

Xan

alaertsxan · February 11, 2009, 4:31pm

True, but that’s not the first priority ! Or at least it mustn’t be. Do you think that people will use your browser just because it’s safe, but slower than Internet explorer 2 ? Nope, they’ll go to other browsers… So speed is N

system · February 11, 2009, 4:48pm

They will go to other browsers, because they too offer decent security. But if you have to choose between ultra fast, but super insecure browser and not as fast, but very secure, which one would you pick ?

alaertsxan · February 11, 2009, 4:48pm

Ultra fast, I don’t care about security, I like to be infected ;D

Xan

triple · February 11, 2009, 6:03pm

Yes, I understand the point M00nBl00d is making and I agree with him… He is saying this, if I understand him correctly: The main goal of browser makers is not making a security application, but a program to browse the Internet and the security can be handled by security applications like CIS for example… (that is what “others"saying”…) But that is just the point! He says the main goal should be creating a " safe" program to browse the Internet with, so in this case people who don’t have CIS still will have some safety when " driving" along the virtual highway… And I agree completely with him if that is the point he is trying to make. A few examples that is proofing that point:

Firefox is promoting itself as the safest browser…
Mac OS X is promoting itself as a safe alternative for Windows
Volvo is a car manufacturer that is building cars that has a very high security standard (they build dozens of security mechanisms in to their cars)

WHY? Because SECURITY is now becoming a task of everyone… Not only security vendors, but each one of us! From the core programmer who has security in mind as the first priority to car manufacturers who want safer cars, to os makers who want a safe operating system to browser developers who want users to browse the internet safer.

Safety is a job for everyone not only for certain parties… and this is becoming more and more clear, because the dangers of neglecting safety measures have shown us that that can have very big consequences… (:WIN)

system · February 11, 2009, 6:11pm

Good post Vader. :-TU

To sum up, why should we be dependend from a security vendor to cover all the holes ?

The OS should be safe, the browser should be safe, everything should be updated to the latest versions and to strenghten all this - you install layered security application(s)

LeoniAquila · February 11, 2009, 6:42pm

It’s not a matter of “should”, we are dependent of security vendors! Because the providers of browsers, OSs etc. will always miss things… so security vendors do their best to cover that.

alaertsxan · February 11, 2009, 6:45pm

Guys, you miss the essence of the whole article.

It’s about this (I think) : Browsers can protect you, they will release patches etc, to protect you, but in the end, as LA says so nice : You still are dependant of security vendors.
I just donwloaded a new rogue, I mean, does Opera stop me from doing that ? Nope, why not ? Well, because it’s not created to do that. It could prevent me from a buffer overflow, when it’s patched, but then just a new will come out…

Xan

system · February 11, 2009, 6:54pm

But that’s how it is now ! People do use protection (Antiviruses mainly). That’s not enough. But for about 80 % of PC users - HIPS, Sandboxing and other technologies are too difficult to use. So they are stuck with antiviruses.

alaertsxan · February 11, 2009, 7:01pm

Well, then use antimalware 88) (ok, not funny (:NRD))

All those stuf are getting easier and easier to work with, so within now and a year, CIS will probably be even quitter than a standart antivirus

Xan

Melih · February 11, 2009, 7:03pm

the point is: The work that the security vendors are doing must be done by someone.
The only discussion is about delivery of this work to end users, as part of the browser or not and who should do this work on security…

Melih

SecurityAdvisor · February 11, 2009, 8:40pm

Please let me, I know the answer :comodo110:

alaertsxan · February 12, 2009, 10:49am

FYI, I never said that IE is as safe as opera. (i mean : :o) I was talking that safety wasn’t the first priority of a browser. It’s the speed. But in these times, yeah, they have to work on safety, otherwise they won’t get used anymore…

Xan