I have found a unique way to keep anyone from using my iMac. While family & friends love the display, they do not use my machine. Many are awed that they can run Windows in parallel to the Mac OS, and the sleek appearance and minimal footprint has created many believers- but after a few seconds they step away from the keyboard. Why? Because they cannot browse the Internet. My copy of Firefox has NoScript, Flashblock, cookie acknowledgement, and a couple of other security related ad-ons. But having to click the Flash logo, or to acknowledge a cookie, is enough to make them leave the room. “I was going to read email, but I think I will wait until I fly home”.
I have been doing this so long I never even notice. I never stopped to think that every web page requires a couple extra mouse clicks to use, but I always accepted that it was worth it. The advantages to me in terms of security are clear. And I always get that warm glow when I find myself on a site for the first time and see 25 Flash icons littering the screen and a dozen cookie requests for places I have never heard of. But I recognize that I am in the minority. The added work seems to so totally ruin the experience and completely turn them off to the Internet. My wife even refused to use my machine, and while I think the authors of NoScript deserve special election into the Web Security Hall of Fame (Which given the lack of funding, currently resides in Rich’s server closet), the common user thinks of NoScript as a curse.
And for the first time I think I fully understand their perspective, which is the motivation for this post. I too have discovered my tolerance limit. I was reading rsnake’s post on RequestPolicy Firefox extension. This looks like a really great idea, but acts like a major work inhibitor. For those not fully aware, I will simply say most web sites make requests for content from more than just one site. In a nutshell you implicitly trust more than just the web site you are currently visiting, but whomever provides content on the page. The plugin’s approach is a good one, but it pushed me over the limit of what I am willing to accept.
For every page I display I am examining cookies, Flash, and site requests. I know that web security is one of the major issues we face, but the per-page analysis is not greater than the time I spend on many pages looking for specific content. Given that I do a large percentage of research on the web, visiting 50-100 sites a day, this is over the top for me. If you are doing any form of risky browsing, I recommend you use it selectively. Hopefully we will see a streamlined version as it is a really good idea.
I guess the question in my mind is how much security will we tolerate? Even security professionals are subject to the convenience factor.
Reader interactions
4 Replies to “How Much Security Will You Tolerate?”
Actually, I just change the settings and then change ‘‘em back when you’‘re not looking. Tell me again why your screen’s bigger than mine…
I am not there yet. I have had it on now for 24 hours, and I now have exceptions in for most of the common sites I use. This is no different to when you run up NoScript for the first time.
The allowing/denying of cross-site requests for pages I bounce through to from links/searches hasn’‘t not hit my security intolerance level yet. In fact, it does help with checking the URL’s of tinyURL’s when bouncing from twitter. (Yes you can go preview the URL first, but isn’‘t that more work and more time consuming).
I am in the same boat with you. I use and do everything the same with regard to Firefox. (NoScript, cookie approval, Flash block, etc.)
Having recently installed RequestPolicy, it’s been getting on my nerves a little. EVERY link from Twitter, EVERY link from FriendFeed, most every link from my feed reader, I have to approve.
It’s almost too much security for too little risk. Especially if you’‘re careful, as I believe we are. I’‘m giving it a few more days, and I need to explore it’s whitelist, but I think it’s headed for uninstall.
I blogged about this very issue myself a while ago-
http://www.compliancefocus.com/blogs/30/Browsus-interruptus-or-how-the-present-state-of-security-is-failing-us.html
My conclusion is that security is very much broken when we have to use something like noscript, and individually assess whether we “trust” each web destination.
Average users who aren’‘t in the security business a) won’‘t tolerate this, and b) have no basis for making a trust judgement for each site they visit.
Frankly, when some of the web security vendors publish reports saying that 60 or 70 of the top-100 websites have either major vulnerabilities, or are harboring malicious code, I am not sure I make valid judgments about the trust I should place in the sites I visit, and I’‘m in the business.
Jim Hietala