{"id":2140,"date":"2010-01-18T17:45:21","date_gmt":"2010-01-18T16:45:21","guid":{"rendered":"http:\/\/www.itwriting.com\/blog\/2140-government-security-advice-is-misguided-switching-browsers-will-not-make-you-safe.html"},"modified":"2010-01-18T17:45:21","modified_gmt":"2010-01-18T16:45:21","slug":"government-security-advice-is-misguided-switching-browsers-will-not-make-you-safe","status":"publish","type":"post","link":"https:\/\/www.itwriting.com\/blog\/2140-government-security-advice-is-misguided-switching-browsers-will-not-make-you-safe.html","title":{"rendered":"Government security advice is misguided; switching browsers will not make you safe"},"content":{"rendered":"

I have mixed feelings about the recent government recommendations<\/a> from France and Germany to switch from Internet Explorer for security reasons.<\/p>\n

Although raising security awareness seems on the face of it to be a good thing, this is na\u00efve advice and may do more harm than good. Security is a complex and multi-faceted problem, and it does people no service if they believe it can be fixed by switching browsers. Another common illusion is that running anti-virus software, or even up-to-date anti-virus software, makes you safe. It does not. Anti-virus software does not detect all viruses, and in particular it frequently fails on those that are most dangerous, in other words, those which are newest.<\/p>\n

Another factor is that many of the most successful malware attacks come via social engineering. That\u2019s not browser-specific, though there are attempts to maintain bad site lists, which don\u2019t in my experience work very well.<\/p>\n

The danger is that people think they are safe, and take fewer other precautions, ending up less safe than before.<\/p>\n

Is FireFox, Chrome or Opera safer than IE? I\u2019m not even sure about that. The latest versions of each are massively safer than IE6, for sure. But how does a fully-patched IE8 compare to the latest fully-patched versions of the other browsers? At least one test<\/a> [pdf] says that IE8 is actually safer, though unfortunately it dates from March last year and does not cover drive-by downloads:<\/p>\n

\n

Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.<\/p>\n<\/blockquote>\n

Know a better one? I\u2019d be interested in more recent tests.<\/p>\n

Microsoft is not always competent; read this blog for evidence. But it has made genuine efforts to improve security and has a comprehensive update mechanism that mostly works. IE now has protected mode<\/a> on Vista or Windows 7, which is no panacea but helps a little.<\/p>\n

But what about the known zero-day vulnerability in IE? Isn\u2019t that enough to make switching browsers necessary, if only temporarily?<\/p>\n

I\u2019m not so sure. Frankly, it would surprise me if there are not known multiple vulnerabilities in all the major browsers, if you move in the right (or wrong) circles. <\/p>\n

How then do you do secure computing? Don\u2019t connect to the internet. OK, how else? The risk cannot be eliminated but it can be reduced … don\u2019t run with local admin rights, don\u2019t run unknown executables, only enable plug-ins and scripting for web sites you know to be safe, keep your operating system patched and up-to-date, and so on. <\/p>\n

Another thing you can do is to browse the web in a virtual machine \u2013 a sort of super protected mode \u2013 not perfect, but would prevent some attacks at the expense of convenience.<\/p>\n

If you are really serious you can use AppLocker<\/a>, or another whitelisting technique, to control what can run on your box.<\/p>\n

And passwords … one thing I do hold against Microsoft is that the company has a brilliant authentication mechanism called InfoCard<\/a> that is almost never used, even by Microsoft. Unfortunately that\u2019s not something any individual can change; but it is possible at least to use more complex passwords and not to pass them over the internet in plain text.<\/p>\n

I\u2019m not sure, even today, that many people realise that when they use Twitter on an airport or hotel or conference wi-fi, or collect email via POP3, that they are likely passing their credentials in plain text over the internet for any smart hacker to read.<\/p>\n

I am also depressed how often I see \u201csecurity questions\u201d on registration forms, asking for things like mother\u2019s maiden name to be used in case of lost password. It is obvious that these are actually insecurity<\/strong> questions; they lower security while easing the burden on support desks. All too often, these organisations then lower it further by emailing your password back to you in plain text. It also sometimes turns out that the password itself is stored in plain text on their web-connected databases, accessible to hackers.<\/p>\n

Overall the IT industry is desperately bad at security, and by and large convenience has won. Yes, I think that should change. No, after years of reporting on IT I am not optimistic that it will, certainly not soon. And knee-jerk instructions to switch browsers may please Mozilla and Google, and web developers for whom Internet Explorer is a constant irritation especially in old versions, but will do little else to improve the situation.<\/p>\n","protected":false},"excerpt":{"rendered":"

I have mixed feelings about the recent government recommendations from France and Germany to switch from Internet Explorer for security reasons. Although raising security awareness seems on the face of it to be a good thing, this is na\u00efve advice and may do more harm than good. Security is a complex and multi-faceted problem, and … Continue reading Government security advice is misguided; switching browsers will not make you safe<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[44,55,75,97],"tags":[474,586,810],"class_list":["post-2140","post","type-post","status-publish","format-standard","hentry","category-internet","category-microsoft","category-security","category-windows","tag-ie","tag-microsoft","tag-security"],"_links":{"self":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/2140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/comments?post=2140"}],"version-history":[{"count":0,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/2140\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/media?parent=2140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/categories?post=2140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/tags?post=2140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}