BLOG
Browsers, security and paranoia
MAAWG is coming up and lots of us are working on documents, and presentations. One of the recent discussions is what kind of security recommendations, if any, should we be making. I posted a list of things including “Don’t browse the web with a machine running Windows.”
Another participant told me he thought my recommendation to not use a windows machine to browse the web was over the top and paranoid. It may be, but drive by malware attacks are increasing. Visiting big sites may not be enough to protect you, as hackers are compromising sites and installing malware to infect visitors to those sites. Some ad networks have also been used to spread malware.
Criminals have even figured out how to install malware on a machine from email, without the recipient having to click or open attachments.
Avoiding the internet from a machine running Windows is a security recommendation I don’t expect many people to follow, but I do not think security and anti-virus software is enough to protect people from all of the exploits out there.
Of course, there are a lot of reasons that one might be forced to use a particular browser or operating system. For instance, I was on the phone with my bank just today to ask if they supported Safari. They say they do, but there are some things that just don’t work. The customer service rep said that they recommend Internet Explorer to all their users. She then suggested I switch browsers. No thanks, I’ll deal with the broken website.
Compromises are a major threat, and criminals are spending a lot of time and money on creating ways to get past current security. No longer is “not clicking on malware” enough to protect users. When a security clearinghouse is compromised and used as a vector for a targeted attack against Google, none of us are safe. When a security company is compromised, none of us are safe.
I realize my recommendation to avoid browsing the web on a Windows based machine is more wishful thinking than practical. I also know that other browsers and operating systems will be targeted if enough people move away from currently vulnerable operating systems. And I know that a simple, offhand suggestion won’t fix the problem.
As someone who’s been online long enough to see the original Green Card spam I know that online dangers evolve. But I can’t help thinking that most of us aren’t taking the current threats seriously enough.
I am a happy Linux user and I am well aware that that significantly reduces the chances of my machine becoming infected. But I also know that if a significant portion of the online population would switch to Linux today, then drive-by-downloads would be targeting Linux by the end of the week.
As they already do Apple Macintosh computers and iOS devices. :/ Laura is right about the risks. My solution is a locked down instance of Firefox, rigorously updated AV, etc. That kept viruses almost entirely away for years; I’ve had exactly two cases of an infection in the past decade on a computer that I configured. But I don’t expect that to continue; the threats are so much greater now and the tools are not keeping up.
I’m not sure how useful the advice to avoid Windows is, though. The vast majority of users are in no position to take it; they’re not technically competent to install Linux or another OS on their personal computers.
Yes, there’s that (which means that if they dive into it, their lack of understanding could easily be exploited by the bad guys), but perhaps more importantly, there’s the fact that (despite what many of its users want you to believe), I don’t think Linux is inherently more secure.
[…] Then I just need to get that malware installed on your customers desktops somehow. A targeted web drive-by malware attack, maybe based on targeted hostile banner ads is one approach, but sending email to people likely to […]
Hi Laura, I’ve been reading your blog for a while and always found it interesting but the idea that people shouldn’t browse the internet on windows is addressing the wrong problem – if you download a Linux or Mac OSX app with a virus onto your Linux or Mac and then run it, you’re infected.
Windows users are targeted because they are by far the biggest group and they have traditionally been poorly protected (if at all) – but that’s changing, MS now have a better approach to security and with technology becoming rapidly less dependent on OS platform (eg including smartphones) Windows is reducing it’s market share significantly. Smartphones count as a computer that can be targeted too and the reduction in the number of hackable Windows machines means that hackers will find non-Windows machines more tempting targets in the future.
Telling people to “don’t use Windows to browse the internet” implies that other platforms are somehow inherently secure and virus-free – which is just plain wrong. There is a myth that Mac doesn’t have viruses – it always was a myth (albeit a popular one) but as users keep believing it then the easier it will be to hack then and steal their precious personal data because of their complacency. There’s an argument that those users will become *more* of a tempting target in the future.
A bit like personal hygiene in the middle ages, the better argument is to educate people on how to keep their computer secure and safe, and what to do if there’s a problem – and /not/ mislead them about how and why they get ill because no matter how well intentioned the advice, it will eventually become misused information that only makes things worse.
Regards
John