Government security advice is misguided; switching browsers will not make you safe

I have mixed feelings about the recent government recommendations from France and Germany to switch from Internet Explorer for security reasons.

Although raising security awareness seems on the face of it to be a good thing, this is naïve advice and may do more harm than good. Security is a complex and multi-faceted problem, and it does people no service if they believe it can be fixed by switching browsers. Another common illusion is that running anti-virus software, or even up-to-date anti-virus software, makes you safe. It does not. Anti-virus software does not detect all viruses, and in particular it frequently fails on those that are most dangerous, in other words, those which are newest.

Another factor is that many of the most successful malware attacks come via social engineering. That’s not browser-specific, though there are attempts to maintain bad site lists, which don’t in my experience work very well.

The danger is that people think they are safe, and take fewer other precautions, ending up less safe than before.

Is FireFox, Chrome or Opera safer than IE? I’m not even sure about that. The latest versions of each are massively safer than IE6, for sure. But how does a fully-patched IE8 compare to the latest fully-patched versions of the other browsers? At least one test [pdf] says that IE8 is actually safer, though unfortunately it dates from March last year and does not cover drive-by downloads:

Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.

Know a better one? I’d be interested in more recent tests.

Microsoft is not always competent; read this blog for evidence. But it has made genuine efforts to improve security and has a comprehensive update mechanism that mostly works. IE now has protected mode on Vista or Windows 7, which is no panacea but helps a little.

But what about the known zero-day vulnerability in IE? Isn’t that enough to make switching browsers necessary, if only temporarily?

I’m not so sure. Frankly, it would surprise me if there are not known multiple vulnerabilities in all the major browsers, if you move in the right (or wrong) circles.

How then do you do secure computing? Don’t connect to the internet. OK, how else? The risk cannot be eliminated but it can be reduced … don’t run with local admin rights, don’t run unknown executables, only enable plug-ins and scripting for web sites you know to be safe, keep your operating system patched and up-to-date, and so on.

Another thing you can do is to browse the web in a virtual machine – a sort of super protected mode – not perfect, but would prevent some attacks at the expense of convenience.

If you are really serious you can use AppLocker, or another whitelisting technique, to control what can run on your box.

And passwords … one thing I do hold against Microsoft is that the company has a brilliant authentication mechanism called InfoCard that is almost never used, even by Microsoft. Unfortunately that’s not something any individual can change; but it is possible at least to use more complex passwords and not to pass them over the internet in plain text.

I’m not sure, even today, that many people realise that when they use Twitter on an airport or hotel or conference wi-fi, or collect email via POP3, that they are likely passing their credentials in plain text over the internet for any smart hacker to read.

I am also depressed how often I see “security questions” on registration forms, asking for things like mother’s maiden name to be used in case of lost password. It is obvious that these are actually insecurity questions; they lower security while easing the burden on support desks. All too often, these organisations then lower it further by emailing your password back to you in plain text. It also sometimes turns out that the password itself is stored in plain text on their web-connected databases, accessible to hackers.

Overall the IT industry is desperately bad at security, and by and large convenience has won. Yes, I think that should change. No, after years of reporting on IT I am not optimistic that it will, certainly not soon. And knee-jerk instructions to switch browsers may please Mozilla and Google, and web developers for whom Internet Explorer is a constant irritation especially in old versions, but will do little else to improve the situation.

9 thoughts on “Government security advice is misguided; switching browsers will not make you safe”

  1. Great article, right on the money to my mind for the most part. However if we put security above convenience then the user will circumvent it, it should be “convenient security”, security that has been designed with a great user experience in mind.

  2. Thanks for the enlightened skepticism… that practice of asking for mother’s maiden name or “secret” government ID number is particularly frustrating.

    Back when email clients went through their own feature wars many of us warned about accepting JavaScript from strangers, accepting attachments from strangers, accepting system-level calls from strangers (ActiveX). But it was hard to dissuade eager marketers with just an unproven hypothetical.

    The same seems to be happening today with the “HTML5” proposals. If they can’t even anticipate that a VIDEO tag needs a codec, I’m not confident how well they’ll implement the new desktop-py features. I’m starting to look for a Mac browser which gets security updates but not feature updates.

    But in all of this, the biggest danger may be the echo-effect from weblogs and news aggregators… they create realities where none exist. Scary.

    jd/adobe

  3. I agree, I wish the dialogue and focus would change to one educating people how to be safe. No one would expect walking through a suspect neighbourhood with a bag full of cash to be a sane thing, changing the bag for another wouldn’t really chance much, most people would actually expect to be robbed, somehow that same intuitive knowledge just does not apply on the web.

    Would you invite complete strangers into your house? No, but you would run a download off the internet in a heart beat that you know nothing about?

    Sometimes I think the best thing that could have happened for security is that virus protection never was invented, or at least not marketed the way it is, it is a false sense of security. It is useful in its own way but more as an alert system than as a protection, it is much more like a fire alarm than an fire extinguisher.

    I myself don’t use active virus protection, it is just a 100% sure solution to make your computer feel 10 years older and you get nothing for it, sandboxing and proper right management to limit possible harm is better, for instance, use a VM for your banking stuff and only use it for that. Now hyper visors can be broken too (as can the guest), but at least it is harder if it is only allowed to talk to your bank and that’s all you do.

    Protected mode in IE is a good step on the path of more convenient security, managing VMs is not for everyone. Problem likely is, people turn off protected mode, because hey, this web page asks for it… And people are likely used to badly written wep application, LoB, that they use at work, which “requires” that you step out of protected mode, so it just becomes one of those “tricks” to make things work….If I can trust this “workaround” at work it must be safe =)

  4. Maybe IE8 is rather safe, but the test you are referring to compared the release candidate of IE to the others released versions. IE:s released version where the least safe according to the report.

    But yes, there are no secure browsers. Just better or worse. I would really welcome regulary independent tests of browser security. (The test above does not look independent to me since it compared a relase candidate to released versions.)

  5. Maybe IE8 is rather safe, but the test you are referring to compared the release candidate of IE to the others released versions. IE:s released version where the least safe according to the report.

    It turns out you are right, though apparently it was sponsored by the engineering team not for marketing – see:

    http://arstechnica.com/microsoft/news/2009/08/microsoft-sponsors-two-nss-reports-ie8-is-the-most-secure.ars

    Still, point well made. It was the most recent browser security comparison I could find quickly. I’d love to see others.

    Tim

  6. However, a significant proportion of virus infections are through out of date IE versions. There are studies showing that Firefox users are more likely to run a fully up to date browser. In part this may be because more technical users are more likely to use Firefox, but it is also attributed to the fact that Firefox updates itself rather than relying on an external update mechanism like Flash and IE. In short switching non-technical users from Firefox to IE *will* do something to help their security as they more likely to be running an up to date browser.

  7. it is also attributed to the fact that Firefox updates itself rather than relying on an external update mechanism like Flash and IE.

    Windows Update is pretty insistent these days; but I agree it would make sense for IE to tell you it is out of date. But aren’t a lot of IE6 users just trapped by their company’s policies?

    Surely if keeping up-to-date is the key thing, then that is what the advice should be?

    I have nothing against FF or Chrome or Safari BTW; I am just sceptical that switching browsers is a route to better security.

    Tim

  8. This is the study I was thinking of (from 2008):

    http://www.techzoom.net/publications/insecurity-iceberg/

    It shows that less than 50% of Internet Explorer users have the most up to date version of their browser. That is too high a proportion to *only* be accounted for by corporate browsers unable to upgrade. Conversely 83.3% of Firefox users have the most up to date version of their browser. For whatever reason it seems that updating Internet Explorer through Windows Update *does not* result in ensuring users run the latest version – whereas the in application self-update of Firefox is *substantially* more effective. For a non-techie user this is a big win for browser security.

    From the study:

    “Critical to this instantaneous patching process is the mechanism of auto-update. Our measurement confirmed that Web browsers which implement an internal autoupdate patching mechanism do much better in terms of faster update adoption rates than those without.”

  9. You can add to this the fact that Firefox now *warns* users about outdated Flash plugins (another tool that uses an external update mechanism). As many ‘browser’ vulnerabilities are actually Flash vulnerabilities, this is another way that switching from IE to Firefox will help keep you secure.

    Of course changing OS will have a bigger impact than changing browser…

Leave a Reply to Anonym Cancel reply

Your email address will not be published. Required fields are marked *