Thursday, February 03, 2011

No Browser is an Island

Jeremiah wrote today about web browsers and opt-in security. I think he gets it mostly right (and hey, he pointed at a paper I co-authored so I'm biased) but I think it also misses the mark a little.

Once upon a time there were only two major web browsers, and their user bases were large enough, and users didn't switch, that they had outsized influence on exactly how the web worked. Users had very little choice.

The situation we find ourselves in today is quite different. Users have multiple choices of web browser, especially at home, and are willing to switch to get what they want, or believe they want.

The problem of improving the security of the web, and the security of web browsers, is one of user adoption. For certain classes of security bugs (preventing buffer overflows, etc) the security is mostly transparent to the user. It doesn't change their browsing experience at all.

Unfortunately, many of the changes proposed by the web security community (myself included) have the potential to break large numbers of sites if deployed indiscriminately.

Unless all browsers make changes at the same time, and make them mandatory, etc. with a mutual suicide pact, it can't and won't happen, because users will choose the tool that lets them view more websites, not one that keeps them safer, at least in the sort term. Some users will install a tool (Noscript) to keep themselves safer, not all will.

The upshot is that we aren't going to get universal default security improvements overnight. They are going to continue to be opt-in for the near future, because as Dan Kaminsky is quite fond of saying - "you can't break the web".

This isn't just a technical problem, it is also an economics problem. Without incentives by websites and users to opt-in to newer safer web browsers we are never going to solve this problem universally. Me -I'll be happy if we can at least develop some of the tools to keep us safer, and then let those who want to deploy them do so to keep themselves safer. That action will come from both security conscious sites, and users.