Another Java Attack

There’s another attack on Java via a new zero day flaw. This is why I don’t keep Java enabled in web browsers anymore. If you still do, I’d suggest turning it off. There’s a good chance you won’t miss it.

I’ve yet to get there with Flash, but the day is coming. After the previous post a few months ago, I think I like the idea of a blacklist/whitelist for plugins in general that allow a user to enable them only for specific hostnames. That would make it a bit more intuitive to use plugins when still needed, but gain the security of not having them available for any hostname you happen to stumble upon. The options would be something like:

Enable [plugin name] on [hostname.tld] for:
(This session only)     (Forever)       (Never)

For certain things like YouTube, you could enable Flash forever since Google is rather trustworthy. For other sites, perhaps just the session. For others, maybe never.

Pavlovian Vulnerability

It seems like Ivan Pavlov’s theory of Classical Conditioning is demonstrated every time I install an extension. You follow the same mindless task of white listing the domain, so that you can install, then wait for the delay, and install. Restart your browser, and your done. It rather quickly gets to the point where you don’t even think about it. Is that a good thing? Is this a bug?

I hope at some point, we get to the point where there’s a secure repository of extensions, ones that have been tested and known to be “evil free” (spyware, adware, virus, etc.). A source of safe and effective extensions that you can use without worry. It would likely be hard to review them all, but some. That can be installed easily, and the user can know that they are safe.

My objection to the current system is that it does little but block “drive-by downloads”. It requires a few clicks, so you don’t install something by accident. But other than that, what have you prevented? The extension can still be literally anything in the world.

How many end users really understand the risk? How many actually understand the dialog presented by those prompts that we bypass without even thinking about? I’m guessing most people just few these as annoyances, and still open and install stuff indiscriminately.

The problem with security is eventually people get used to it, and life goes back to normal. It’s something faced by national security experts, as well as programmers. Special security measures are only special when used in a limited way. Otherwise they become the norm. Right now the US threat level is “elevated”. How many people are doing something special as a result of that? Yea, most are just living their normal lives. Does this “elevated” level serve a purpose (other than PR)?

The big question is how do you clearly distinguish between safe, and unsafe to end users? I’d love to hear some comments on how to prevent these current security measures from becoming a Pavlovian Vulnerability.

Definition

Pavlovian Vulnerability – the susceptibility to a security risk due to a learned response almost automatic in nature in reaction to a monotonous situation or predictable chain of events.

Note: this is different from carelessness or negligence because Pavlovian requires it be learned, either by training, repetition or some other means.

Note: Yes, I’m discussing extensions here, but it also applies to how IE handles ActiveX, Safari and Dashboard Widgets, or how all browsers handle downloads. No browser that I am aware of is exempt from this issue.

Edit (10/15/05 9:13 PM EST): Added definition for clarity in regards to the title of this post.