Security Awareness Blog

Browser Security for the OCU

I've read several interesting security posts on which browser security plugins/add-ons/extensions are best for securing your online activities. After reading through some of these, I began to wonder, which plugins should we be recommending to the Ordinary Computer User, what plugins should we be recommending in a security awareness program? I posted this question to a security forum and several security professionals and got a huge range of answers, more divergent then I expected. However, after putting a list together and reviewing all the possibilities, I came to a surprising conclusion. I would not recommend any new security plugins for the OCU, the disadvantages outweigh the benefits. These are my reasons why:

  1. Today's latest browsers are 'secure enough' for most OCUs. As long as end users are using the latest version of their browser they have most of the security features they need, such as Smartscreen (blacklisting), sandboxing, etc. Each browser is a bit different in their security implementation, but overall I consider them good enough for most organizations.
  2. The risk today with browsers is no longer the browser but often the plugins. Many browser exploits attack outdated or vulnerable plugins (Flash, Quicktime, Java, etc). By asking OCU's to intall more plugins, we can send a confusing message. In addition, they may become confused as to which one is legitimate and which one is fake (Rogue plugins anyone?).
  3. An additional risk is that if OCU's install a plugin, they may not use it correctly, yet still think they are safe. The classic security plugin is NoScript. This is a powerful tool that most security professionals I know use. Unfortunately it is not the most user friendly. I installed NoScript on my wife's computer, it lasted ten minutes. She quickly grew so frustrated that she enabled NoScript to work with any site, disabling most of the security functionality. Even more dangerous, she may feel she is more secure as she has the 'security plugin' installed, even though most of its filtering capabilities have now been disabled.

Want to make end user's browser experience safer? Skip the security plugins, OCUs can only remember so much. My suggestion is make sure they know to always run the latest version and change their home page to Qualys's Browser Check page at http://browsercheck.qualys.com. And always remember, regardless of which browser version you are using, the most insecure part is the HumanOS running it.

3 Comments

Posted August 16, 2011 at 6:26 PM | Permalink | Reply

HJohn

I like your frequent reminders of OCU attitudes toward overwhelming messages.
We could update the "boy who cried wolf" to "the computer who cried risk":
* Computer asks "this plugin may be a risk, are you sure?" After some research, calling experts, etc., the user realizes it's okay to click yes.
* Computer asks "this file may harm your computer, are you sure?" After some research, the user realizes it is legit and clicks yes.
* Computer warns "this file may be a virus/malware/harmful". The user thinks "here we go again" and clicks "ok" to continue. Malware then harms their computer.
When a user is warned, there better be good reason. Otherwise, false alarms make them so desensitized that they will habitually allow anything.

Posted August 16, 2011 at 6:30 PM | Permalink | Reply

lspitzner

Excellent point Harold, kind of like the problems Vista ran into.

Posted August 17, 2011 at 1:57 PM | Permalink | Reply

HJohn

This is an interesting commentary on why provides should provide security by default:
http://arstechnica.com/tech-policy/news/2011/08/not-an-option-time-for-companies-to-embrace-security-by-default.ars
Not saying I agree with it all, but interesting in context. (Finally getting back into security discussions now that I"m settled into my new job.)