Cenzic 232 Patent
Paid Advertising
web application security lab

Least Common Denominator

10 posts left…

While at Bluehat Jeremiah got a question from someone (I believe he worked at Opera) saying that even something as simple as turning off third party cookies will break things like Yandex. Jer had an amusing response which was, “What’s that?” followed by, “So you’re telling me I need to be less secure because someone else wants to go to a site that I’ve never heard of?” I was laughing too hard to hear whether the guy had a useful retort or not. But I doubt the guy in the audience was prepared for this argument. Now some people would argue that no, it’s your own responsibility to secure your browser as much as you need it to be. It’s always been my take that if you let people have something insecure it’s never going to get any more secure than it is that day (for the vast majority of users), because of the least common denominator and the fact that the web developers are going to use as much of that functionality as they can - forcing me to use JavaScript to log into my bank and such.

Normal users want a subset of what the browser is capable of, but even more usability than what a browser comes with by default. If they can tie their browser in with Twitter, make it auto-log-in to every account they have and pipe in music from iTunes all at once, that’s a good day. While security people for the most part want a different subset of the browser, and want very few of the usability improvements that browsers are adding in. Unfortunately, we are also stuck with whatever everyone else wants, because we do have to use the same sites. And the worst part is the browsers weren’t designed with guys like Jeremiah in mind - they were designed with thoughts of people who had never used a computer before. As such the browsers are building on legacy software that needs to support other legacy software atop a very flexible architecture making it harder and harder to be secure over time.

As such, yes, Jeremiah is absolutely forced to have a less secure browsing experience because of Yandex and the 1000x other edge cases that we have been unable to break for fear of backlash. This includes breaking requests to localhost because of Google Desktop. This includes breaking cross zone RFC1918 requests because of legacy banking apps. All kinds of dumb things that should have never been built like that are causing us to be less secure, and until we’re willing to break the web (like with the CSS History hack fix that Mozilla championed) we’re going to be stuck with the least common denominator problem. I wish I had the answer, but I don’t.

4 Responses to “Least Common Denominator”

  1. blahblah Says:

    I think the answer is to enable this possibility with some easy way - some addon (noScript is too annoying for the average user) and then spread it around as the “THE” way to get “SECURITY” (with airquotes for all us security folks). Shameless plugging/marketing etc. will get this noticed (particularly when the next twitter/facebook worm happens) and lots of people will turn this on and complain about sites that break TO THE SITE OWNER

    People happily agree to stand in line and come 1-2 hours in advance for their flights in the name of ’security’ - it seems they will do this too :)

  2. Marc Ruef Says:

    Hello,

    I agree that the goal shall be to lead to the most security environment for all of us.

    But the introductory dialogue you have mentioned does not consider the complexity of modern companies. In most cases it’s not the same guys that define “enable javascript” + “visit web site x” and the guys who have to implement the according settings ;(

    In many cases fighting decisions as an external person does not lead to a solution. In most companies you would have to infiltrate the team that proposes the weak policies ;)

    Regards,

    Marc

  3. McCoy Pauley Says:

    “What version of Windows are you running?”
    “Uh, Windows.”
    “No-no, what VERSION of Windows…..98, XP, Vista….??”
    “Uh…..”

    You really CAN’T fix stupid, bro.

  4. Nathan Says:

    That’s ignorance, not stupidity. You can fix ignorance, with education and experience, but treating people like they’re stupid only makes things worse.