Security Corner

Aug 28 2010   12:45PM GMT

Ten Web Browsing Myths – Part 2

Ken Harthun Ken Harthun Profile: Ken Harthun

Here is my commentary on the remaining myths from Sophos’ recently issued whitepaper, “The 10 Myths of Safe Web Browsing.”

Myth #6: You can only get infected if you
download files.
Well, that used to be the case, but these days, most infections are via the “drive-by” download. No one is safe from this because the code is injected into the web page and it executes automatically when the page is viewed. For example, I once visited a site that has funny pictures of cats and was immediately infected by an adware trojan. The pop-ups took over my browser. A hard shutdown and start up scan fixed the problem. That site is fixed, but there are many others that aren’t.

Myth #7:  Firefox is more secure than Internet Explorer. This myth got started because IE uses ActiveX technology which has always had a greater share of vulnerabilities than any other plug-ins. The truth is that no browser is inherently more secure than another since all browsers can execute Javascript–the language used by all malware on the web for the initial attack. A study done by Secunia in 2008 showed that Firefox was actually the least secure browser at the time.

Myth #8: When the lock icon appears in the browser, it’s secure. This one can get you in trouble fast. All that lock means is that there is an SSL encrypted connection between the browser and the server. The information still flows. A real disadvantage to this type of connection is that any malware coming along will also be encrypted and could possibly bypass security scanners. Recently, spoofed SSL certificates have made it possible for hackers to give what appear to be valid SSL connections to fake bank, credit card, and PayPal sites.

Myth #9: Web security requires a trade-off between security and freedom. I’m going to disagree with their calling this a myth. Security always involves some trade-off with freedom. In their context, a suitable web security solution ( meaning their product, of course) gives the freedom to grant access to sites people need for business while keeping the organization secure. A rather vague argument in favor of making this one a myth.

Myth #10: Endpoint security solutions can’t protect against web threats. Again, their calling this a myth is simply expedient to their promotion of their web filtering product. As long as scripts can pass through to the browser–which is what has to happen or you’ll break most of the web sites–endpoint security solutions can’t do much.

As in all whitepapers, license is taken to put a spin on certain terms to make one’s product look more favorable. Sophos’ whitepaper does this with their calling those last two statements myths. However, they have given real value in their paper with the publication of the other eight myths.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: