It has been almost ten years since anyone could buy a car without one or more air-bags (at least in the US and Europe). It has been more than twenty years since cars without three-point restraint seat-belt systems were available. Car manufacturers were not happy about all of it at the beginning because it drove costs up and it involved additional research investment.
Public opinion and related industries drove lawmakers to push (and then mandate) technologies such as air-bags, early warning break lights, and anti-lock breaking systems. Aside from the consumers' enjoyment of safer transportation, insurance companies also benefited (financially) from the deal. Today car safety is a burning issue for anyone looking to buy a new car.
Why don't we see public pressure to make our web-sites safer? Why do most people scrutinize their prospective car better then their bank's Internet safety policy? Why do people read about crash-test results in magazine and new-papers motor sections? Why do so many people know what it means that “Somecar SL” made by “MotorMaker Inc.” scored a 5 on the European NCAP tests?
The answer is education: People look at the little lock at the bottom (or top) of their web browser and say "Yey! Safety!" Curiosity might drive some of them to look at the certificate behind the lock, and read about how one important sounding company verified and authenticated and identified the web-site. Web application security is so much more than that.
Jeremiah Grossman wrote about education. I agree that web-developer and web-testers should be made more aware of the dangers inherent to web-applications. But not only them. The users of these applications need to be able to demand safety, except they don't know they need to.
Ever see a crash test dummy thrown through a window? Who hasn't? There isn't a person alive today in the western world that hasn't marveled at the speed an airbag opens, catching, in slow-mo, the dummy's head it slams helplessly towards the steering wheel. It's in commercials, news reports, and MTV videos. It certainly drives the point home. We all want air-bags in our cars. We know why. We know what can happen if we don't. We care about safety features and design of our vehicles in a level that exceeds the knowledge required for normal use.
And to ease our minds, we do not crash cars to test them. We have bodies we trust to do that for us. European standards institutes, independent safety magazines, etc.
What about web-applications?
I have to confess: until three months ago I was a part of the ignorant mass. I clicked on the Locked icon and in knowing self-importance thought: "VeriSign, yes, good. Oh, look, forms and fields! Yes. Very good! This site is secured. It is safe."
I was even clever enough not to press links in emails: always copy-paste them into the browser. You never know what really lurks behind the link's text, certainly not from an unfamiliar source.
But then I came to Watchfire and learned a few things. About the inexcusable ease that a web-application can be hacked, if the right web-app-developer fell asleep on the job.
I saw a live presentation of the Google-desktop hack. I then thought: I don't know anything about UTF-8 or URL encoding. Despite thinking of myself as Internet-clever, I considered the following scenario:
I get an email from a friend, telling me to check out a funny Google-search. I look at the link and despite all the odd ?, %, &, and numbers it looks perfectly normal to me. I copy, and paste it into my browser. I get a host of pictures of nuns riding unicycles.
Now, my friend got the message forwarded from another friend, which came from a brother, which came from a class-mate, who's not really sure who the mail was from, but thought nuns on unicycles are pretty hysterical. This way a chain of trust is established that resulted in me exposing my machine to the whims of a malicious hacker through my beloved Google Desktop application (which is a web-app for all intended purposes).
But it’s not just trust-chains. It’s the promise of fun that makes most people ignore common sense and develop trust toward things that do not warrant the trust. The phenomenon is widely recognized and has been named: The Dancing Pigs Problem. People are easily tempted by dancing pigs. People are easily distracted by shiny, sparkly, exciting things. As remarked by Bruce Schneier, even if the warning is clear and unambiguous, the everyday web-surfer will choose to ignore it with the promise of some enjoyment.
As a community, web-app security needs to tackle the masses. We need a way to drive the point home. People use the Internet and its peripheral services and have no understanding of the technology or the risks involved. People download, share, do business, send and receive, talk, watch, play, read, write, and live virtual lives in a virtual universe. People learn about internal combustion and the hazards of navigating traffic in high school. There are vehicle-safety documentaries by the dozens. The only documentaries about the Internet are about sensational hackers and their crimes. People are angry at attackers, and not about their web-app providers for not protecting them and their data.
As technologists and engineers, we are so used to the Internet technologies. All the ignorance out there does not even occur to us. We need to start with simple examples, not to be afraid to approach the public as children. Remember that we need to start at the beginning. Explain things step by step until a greater understanding prevails.
Once the users become more and more clever, they will start approaching their service providers and ask them: What body governs and approves your site security? Which standards do you hold yourselves to?
The web-application providers will start generating and seeking standards on their own. The security community needs to help bring that change about, and then to be there to work together with the industry to create the safer Internet-world we all need and deserve.
Comments