Don't Blame Your browser!

Here is an article published in Security Focus Don’t Blame Your Browser

Hope you enjoy it


Good read Melih. I totally agree with you

If one wants to take a walk one uses their feet (their browser). The walking path might take you into the deep, dark woods (the Internet). If your “browser” protection consists of only open-toed sandals it is likely you will stub your toes, step on sharp sticks and rocks, and a spider might bite your feet (the bad guys on the Internet). If this happens does one curse their feet (browser)? No, you need better protection for your body (your computer). Put some heavy boots on! Protect yourself.


Yes, prevention is far more better than waiting for something to happen and than start acting on it… hmmmm… :THNK… True, still if programmers now start programming with security as priority 1 , people who do not completely understand the value of “prevention as the first line of defense” would benefit from the fact that programmers have made their programs with safety in mind as priority 1. True, this does not guarantee 100 % safety, but what can guarantee that?, we all are humans after all… (:WIN)

But m00nbl00d (and Melih), it’s difficult to draw the line, isn’t it. The internet is not a normal road, it’s rather a mine field. Does that mean we need tanks? Furthermore, if we’re talking browsers, what should you include? Antivirus?

I think makers of browsers should strive for secure and preventive browser, to some extent. However, we can’t put everything there… browsers are made for browsing (yes, preferrably secure) but not really protecting the whole system.

Difficult indeed!

who do you think car manufacturers turn to in order to have a better lock, better security for their users? Car manufacturers dont have the best locks, they buy it in. They dont have a lock manufacturing facility or a facility to do the R&D about the best lock etc.
Unlike Cars, computers do not need all embedded (eg: it would be difficult for user to add security to a car like changing locks etc hence car manufacturers has to provide it all in one go).


As for cars, I believe you refer to safety rather than security?

You’re actually making wrong analogies and you’re pulling the things out of the context.

Browsers are made to browse. Pretty simple, of course they’re made so safe as possible. But the original defender must be the security products. Of course that’s a little old-fashioned. I mean, it’s the same as using detection instead of prevention. In both things, technology advanced . It’s normal that browsers are made with security packets in them, but that’s not their main goal. They’re create so you can go on the internet !

With your example of the car :

You made the car the browser, it’s not. The car is the internet. The seats, motor, … are the browser. They just drive you from point A to point B. But what’s the safety then ? As you said: the seat-belts and airbags. But is that all ? No, you need decent tires, a good road, and go on. Those are the security factors, but they’re all out of control of the Car manufacturer. I mean, they don’t create them, they buy them. It’s the task of the safety manufacturer to make the car as safe as possible, it the task of the car manufacturer to make the car as fast as possible ! It’s the same with browsers !


True, but that’s not the first priority ! Or at least it mustn’t be. Do you think that people will use your browser just because it’s safe, but slower than Internet explorer 2 ? Nope, they’ll go to other browsers… So speed is N

They will go to other browsers, because they too offer decent security. But if you have to choose between ultra fast, but super insecure browser and not as fast, but very secure, which one would you pick ?

Ultra fast, I don’t care about security, I like to be infected ;D


Yes, I understand the point M00nBl00d is making and I agree with him… He is saying this, if I understand him correctly: The main goal of browser makers is not making a security application, but a program to browse the Internet and the security can be handled by security applications like CIS for example… (that is what “others"saying”…) But that is just the point! He says the main goal should be creating a " safe" program to browse the Internet with, so in this case people who don’t have CIS still will have some safety when " driving" along the virtual highway… And I agree completely with him if that is the point he is trying to make. A few examples that is proofing that point:

  • Firefox is promoting itself as the safest browser…
  • Mac OS X is promoting itself as a safe alternative for Windows
  • Volvo is a car manufacturer that is building cars that has a very high security standard (they build dozens of security mechanisms in to their cars)

WHY? Because SECURITY is now becoming a task of everyone… Not only security vendors, but each one of us! From the core programmer who has security in mind as the first priority to car manufacturers who want safer cars, to os makers who want a safe operating system to browser developers who want users to browse the internet safer.

Safety is a job for everyone not only for certain parties… and this is becoming more and more clear, because the dangers of neglecting safety measures have shown us that that can have very big consequences… (:WIN)

Good post Vader. :-TU

To sum up, why should we be dependend from a security vendor to cover all the holes ?

The OS should be safe, the browser should be safe, everything should be updated to the latest versions and to strenghten all this - you install layered security application(s)

It’s not a matter of “should”, we are dependent of security vendors! Because the providers of browsers, OSs etc. will always miss things… so security vendors do their best to cover that.

Guys, you miss the essence of the whole article.

It’s about this (I think) : Browsers can protect you, they will release patches etc, to protect you, but in the end, as LA says so nice : You still are dependant of security vendors.
I just donwloaded a new rogue, I mean, does Opera stop me from doing that ? Nope, why not ? Well, because it’s not created to do that. It could prevent me from a buffer overflow, when it’s patched, but then just a new will come out…


But that’s how it is now ! People do use protection (Antiviruses mainly). That’s not enough. But for about 80 % of PC users - HIPS, Sandboxing and other technologies are too difficult to use. So they are stuck with antiviruses.

Well, then use antimalware 88) (ok, not funny (:NRD))

All those stuf are getting easier and easier to work with, so within now and a year, CIS will probably be even quitter than a standart antivirus :wink:


the point is: The work that the security vendors are doing must be done by someone.
The only discussion is about delivery of this work to end users, as part of the browser or not and who should do this work on security…


Please let me, I know the answer :comodo110:

FYI, I never said that IE is as safe as opera. (i mean : :o) I was talking that safety wasn’t the first priority of a browser. It’s the speed. But in these times, yeah, they have to work on safety, otherwise they won’t get used anymore…