Jaqui Greenlees

Are you concerned about default browser security settings?
You should be, since malicious code can be on ANY website you visit.

The sad truth is that very few websites are written with security of YOUR confidential information in mind. How can we tell this? It is actually easy.
Check the lower right hand corner of your browser window, is the padlock symbol locked, or open?
Odds are, it is open. That means that the website is not using the Secure Socket Layer to create an encrypted tunnel for all information passing between your computer and the server hosting the website. This enables anyone who has a packet sniffer to capture the entire data stream. Those intent on criminal activities have packet sniffers and actively look for information that should be kept confidential, like your user name and password. It is well known that 99% of people online use the same username and password for everything, so anyone will ill intent who gets such can then start accessing things like bank accounts, credit card accounts, etcetera.

What makes this lack of use of ssl in websites is the fact that EVERY browser ships with a list of trusted Certificate Authorities. Though, really, how well can you trust the word of a company that is only saying what they have BEEN PAID to say. After all, if a person is out to rip you off, they will rip you off, no matter what the Certificate Authority says about them, and that Certificate Authority is not responsible for your loss. I personally, delete the list of Certificate Authorities from my browsers, since it is the person or company whose website I am visiting that I trust, or not. It does NOT matter which CA has issued the certificate for the ssl connection, they have nothing to do with the business you are contemplating purchasing from.

The second issue is that EVERY browser is BY DEFAULT enabling things that weaken website security, and expose YOU, the end user / site visitor to having confidential information stolen. I am referring to the use of FLASH, Javascript and Activex on websites. Though Activex is only functional if you are using a Windows based computer, the huge market share Microsoft has means that it is an issue for most people. Clientside scripting exposes application logic to malicious people, making it easier for them to CRACK the website and gain illegal access to information stored on it. We can’t forget, all three of these technologies have the ability to write to the hard drive, this means they can save malicious code on your system. Activex is worse though, it is a SYSTEM level technology on Windows, which means it has System Administrator access. That is total access. The second half of this issue is that after they have written the website script to run on the clients system, the majority of website developers DO NOT bother to verify the information being submitted on the server before they process it. This means that malicious code embedded is executed by the server, possibly causing an exploit of the server in the process.

In essence, if any website that wants you to submit ANY information is not using ssl, then you should not submit any information to that website. If your BROWSER does not pop up a window about not knowing the Certificate Authority, then the people who wrote and configured the browser are TRYING to cause you harm.

That brings up the final point, message boxes or message bars. the two most popular browsers have both implemented the use of message bars across the top of the browser window. The silly thing is, that bar goes away in a few seconds, and is easily missed by the person using the computer. While message boxes get clicked away without being looked at, they still have a 50% effectiveness, while message bars can only have at most 25% effectiveness. So Microsoft’s Internet Explorer and Mozilla’s Firefox are BOTH trying to hide critical warnings from their users when they use the message bar instead of a message box.

To summarise, EVERY web browser is being sent out configured to ENABLE harm on their users from having a list of “Trusted” Certificate Authorities as well as from having client side scripting technologies enabled by default. Microsoft’s Internet Explorer and Mozilla’s Firefox being worse, in that they PURPOSELY try to hide critical security messages from you with those message bars. YOU, the END USER, need to start complaining to those responsible for these CRIMINAL acts if you really want to stop your confidential information from being exposed.

While I am slamming people for not using ssl on websites, I’ll accept the comments coming, from my own lack of ssl use here
, with only this comment on the subject:

You do not have to submit any information to this website to read it, and if in reading it you start thinking about what you can do to protect your information better, then it is worth it. I chose not to enable ssl because there is not requirement for ANY visitor to give me ANY information anywhere, unless they chose to make a comment. Then they need to give a user name, password and email address, yet after reading this post, I doubt anyone will do so lightly.

This entry was posted on Tuesday, May 27th, 2008 at 12:55 am and is filed under Internet Security, Software Development, Website Development, Website Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.