There’s been a lot of changes recently to Internet security done mostly by browsers to improve the online safety of Web users. Even though I have a security background, I have some serious issues with the stance browsers and other technology companies have been taking in improving Internet security. My major concern is that not enough is being done to educate end-users.

I understand that there has always been an epic battle between businesses, tech people, and end-users, in regards to educating the everyday computer user. I know it has been a losing battle and understand that companies often resort to “well, if the user is going to be dumb, then I’ll just do everything I can to prevent them from making a mistake”. This mentality is, in an of itself, a mistake. Non-educated users are prone to finding innovative ways to make mistakes, regardless of the safeguards we put in place, despite the amount of preventive security that is put in place.

If you’ve ever seen a site that looks like this, you’ve been “saved” by a browser’s attempt to block “bad” sites. The problem with this is that your safety net, as a user, is dependent entirely upon a browser‘s ability to scan millions of sites and be able to differentiate between those that are good and those that are bad.

Unfortunately, browsers will never be able to catch all bad sites, some are going to get through and users will be defenseless. At some point, we will need to weight which losing battle we will want to fight. So far educating users has not been a popular choice of action, however, there are some changes in the horizon.

I came across a new Web site by Verisign, Phish or No Phish, which quizzes users on which sites are phishing Web sites, and which are real Web sites. It then promotes the use of EV (Extended Validation) SSL Certificates (the green bar on the browser) to identity secure domain names. I like that the approach taken was to educate the end-user on the reality of bad online and how to spot those sites that are bad. I also thought that the Verisign quiz was biased towards having users miss more questions than normal so that they can then show how bad the problem really is. Again, I have a security background and admit that I did not get 100% of the phishing sites on the quiz.

The problem, really, is that most phishing Web sites come from non-standard domain names for the company being copied. Verisign, on the otherhand, user man-in-the-middle (same domain name on both screenshots) for all but one of their quiz questions. Hate to break it to Verisign, but very little of the phishing sites out there operate this way. Most are coming from the garbage domain names. In any case, the overall, the positive effect here is that more emphasis is being placed on educating users.

As technology professionals we can only do so much. Eventually, our users will be left on their own and will have to stand on their own two legs, the question, then, is “will they do the right thing?” I certainly hope that we see more of this from technology companies.

Bookmark This...