Sunday, July 24, 2005

The Browser is the Problem

Firefox users, including myself, widely consider themselves to be safer by using it instead of Internet Explorer. That probably is based in truth. All indications are that it is. But it has also led to a sort of arrogance on the part of many Firefox adherents. I wish I could say I hadn't fallen prey to this, but in fact I have. Once I started using Firefox, I gave a lot less thought to browser security.

Now we have the Greasemonkey add-on to Firefox, which turns out to have a really huge significant security hole in it that can allow an attacker to list the contents of directories on the target machine and view files.

With the mind set of Firefox users, feeling so safe and all, we download add-ons to our browser with very little thought, if any. I know I did and I suspect most of us do. I never gave any thought that the add-ons I've downloaded might compromise the security of my machines. We ignored the truism that even adding a small snippet of code can open security vulnerabilities undreamed of and all out of proportion to the size of the change made to the system.

The problem isn't so much with Firefox, it's add-ons, Internet Explorer or any other browser. The problem is that we're spoiled; we expect our browser to do everything. Think about that for a minute. It's true. And adding those functions with ActiveX, Flash, javascript and all sorts of other technologies over the basic rendering functions of a browser has caused all sorts of security headaches. Functional and interoperability headaches, as well, but that's almost another story. We as consumers didn't demand all these functions. They were developed and released with good, or at least commercial intentions.. And once they were loose upon the world, we took them to our hearts and raised our expectations of what our browsers should do for us.

For a couple years now, you have heard me admit occasionally during the show that I still use text-only browsers, namely Links, which either comes with or can be installed on any Linux system. I do this because these browsers render pages much faster than full-functioned browsers do on our dialup connection, which is ideal when reading large amounts of text. While the interface is plain, for a lot of my browsing, Links is all I need. It can also download files and save pages. It works for me.

Links is also much safer. Containing less technological whizzbangs makes it that way. Not that it has received the amount of attention from malicious types that IE or Firefox has, so I can't say that for sure. But it stands to reason that less features equals less vulnerabilities and I have never heard of a successful malicious attack on it.

Perhaps we should carry this farther. Perhaps we, the public, should demand minimally functional browsers designed for security and to eliminate Po pups, adware, spyware, etc. I, for one, could do well over 90% of my browsing with such an application. For the remainder, I could either use a more fully featured application or (more likely) give it up.

Come to think of it; this same argument, that limited functionality could enhance our security, can be extended to make a good case for so-called "Internet appliances". Such machines, incapable of running any software but what they were built with, could enhance our browsing experience even as they protected us. providing only that and mail capabilities. Want to download files? Okay. We'll give you disk space for just that, but you will have to hand-carry the files to another machine to view or install them. We'll provide a USB slot for that and you can plug in your memory stick, if you insist.

If it's really well done, virii, spyware, adware and all sorts of annoyances could be a thing of the past for those who own them. The same could go for cookies and tracking users across the web. Maybe I need to take another look at Microsoft TV. Then again, I'd really like something not so heavily based on proprietary technology, though there's nothing beyond their history of corporate attitude and policy stopping MS from doing that right. Still, I think it's time for such appliances to make a comeback and so allow us to disconnect our precious data from the Internet. After all; if it's not hooked up, it can't be accessed by the bad guys. And we can access what we want on the Internet with our appliances, leaving the computer safely cut off from the outside world.

I'm not at all sure I like this idea. It's almost "over the top" and involves some inconvenience for us as users. But it would save us from the armies of zombie computers which attack us or spam us because our machines would be incapable of that sort of behavior. We could have more privacy, as well. And I wouldn't have to worry about my browser.

Jack

No comments:

Post a Comment

All comments are moderated.

Note: Only a member of this blog may post a comment.