Friday, November 10, 2006

If You Are Alive, It Is NOT Too Late...

So, I have to admit to a heinous crime against the world's security: I was an IE user, until today (Oh, horror!) I am sure there will be a few of my readers who would just stop reading further after crying out "What an idiot!" and closing their certifiably non-IE browsers :-)

My "excuse" was that I was relying on my ability to configure Internet Explorer securely, at least, securely enough to avoid most-if-not-all common "uglies" and yes, on accepting the risk of being owned via a stray 0day. Yeah, I used tightly-configured Firefox for shadier websites (and Lynx for truly bizarre ones), but stayed with IE for most day-to-day browsing, until today.

However, my whole browser "switching behavior" allowed me to think (and now to blog) a few thoughts about how security works.

So, why did I switch? Isn't IE7 "the best IE ever"? You bet! Does it have the cool and useful features? Yeah. Is it "secure"? Well, hopefully less insecure than its predecessors. I am sure that MS can learn the security lessons and IE did truly become more secure, just like IIS leaped from total rotten "swiss cheese" state of 4.0 times to a relatively safe state of IIS 6.X.

There is, however, a tiny bit of an issue with IE7. It doesn't work! Well, it does work in some cases, but upon hitting the 10th website which rendered with errors in IE7, I said "fuck it" and started using Firefox for everything.

So, here are the thoughts.

Has MS made IE7 so secure that it doesn't work anymore? That is one possible option. Maybe the whole "let's not be shy about breaking functionality in favor of security" them did catch up with them.

But you know what? Users, and my example only proves that, totally hate it. I didn't switch to Firefox after all the years of horrendous spyware infections out there, all the 0day hacks and phishing exploits. But I switched after a few hours of browsing and seeing errors and broken HTML.

So, is security always secondary to functionality? No, that is the wrong question to ask. The truth is that secure functionality is clearly preferred to insecure functionality. However, all the security in the world will NOT make someone switch to something that does not have the needed functionality. Which is, IMHO, an important lesson that we purveyors of security gear should always keep in mind!

Dr Anton Chuvakin