 
|
|
In partnership with:
|
9 November 2007 Browser providers should admit flaws, says MozillaEleanor Dallaway in Washington DCWeb browser providers should be more open about their vulnerabilities in order to help each other and make the web a safer place, argued Window Snyder, chief security ‘something-or-other’ of Mozilla. “The media is so heavily focussed on reporting vulnerabilities, and ignores all of the fixes being made. It should be the other way around. But you won’t see this happening unless vendors start being open with this stuff, and that’s what we’re trying to do at Mozilla,” said Snyder, during her keynote presentation at CSI 2007 on 7 November. Mozilla Firefox is an open-source environment with over 130 million users, where anyone can propose changes to Mozilla, and anyone can comment on these proposals. “We use a transparent approach to security at Mozilla, because we believe that users deserve to know about any problems out there,” said Snyder. “Most vendors ship security updates for vulnerabilities reported externally,” she continued. “Mozilla continuously searches for vulnerabilities and ship in security updates on a regular schedule. You don’t have to wait for a major release to benefit from the work we’re doing.” Snyder said that waiting for a fix that has already been checked in is pointless: “Customers shouldn’t have to wait for a fix that is just waiting for the right shipping vehicle to be ready.” Being open and honest about finding holes and bugs is essential, argued Snyder: “Just because bugs are found internally, doesn’t mean they shouldn’t be known externally.” Marketing claims about which web browser is the safest need to be measured properly, she continued. “Counting bugs doesn’t work – it can just be a measure of how well you searched. Counting bugs also provides vendors with an incentive to keep quiet about their vulnerabilities, and that’s not helpful,” she said. “We need to help users help themselves,” said Snyder. “Users aren’t dumb. But they shouldn’t have to be PKI experts to shop safely online. They’re just trying to accomplish a task, and poor security user interface gets in the way.” Web browser instructions are not always helpful either, argued the chief security something-or-other (her actual job title). “We should help the user by using clear language and concepts. Technical jargon isn’t helpful.” Usability is important when targeting such a wide and varied audience. “Focus on who your user is and target the language at them. Don’t build trust around symbols that can be easily copied. For example, users now think that any site with a padlock symbol is secure. Similarly, you can’t expect users to recognise the absence of a security indicator,” argued Snyder. She concluded by arguing that security communication needs to be improved between web browser providers and users: “We need to turn marketing claims of ‘we’re more secure’ into measurable progress. And we need to congratulate people for sharing their vulnerabilities, not judge them.” CSI 2007: Discipline blamed for non-compliance (9 November 2007) Internet Explorer zero-day exploit less toxic than feared (22 September 2006)
|
|
