Safe browsers don’t exist. True.
According to David Sheets they don’t. He has written a column about the safety of browsers. And I think he’s right. Partialy…
Safe browsers do NOT exist. Agreed. Just as bug-free software doesn’t exist. How hard you try, there is always a funny/strange/malicious kind of input possible, putting your normal day of business off. Due to a novel way of using your software. Be it ‘code’ injection, buffer overflow, social engineering, … As a developer of any kind, you’ll never, EVER, quite anticipate your user’s actions. And that’s just your users. (You don’t design a hammer to kill people do you?) I’m not even talking about the evil hacker dude. You can test your baby till death, but you can never be fail-safe enough.
Or can you? There are many methods of testing your software (web or desktop). I personally like the ‘Berzerk’ testing. 
But basically, let your software be tested by end-users. Or if they aren’t available by some third party. NEVER your client. Do not try to attempt to test your baby yourself. Well, maybe only during initial development. Because? You know your click-paths, your feedback, ‘oh well, that will be fixed during launch’, ‘who on earth will do THAT!’. Subconsiencely we all have a tendency to avoid pittfalls and short-term memory. As does your client. They only want to see what happens what they initially invented (read paid for).
What I’m trying to say. You’ll never know what some person at some time is going to do with your product. Surely enough any good designer will try to anticipate abuse. But that can never be fail-safe. As for software, wouldn’t it be nice that the platform it runs on could jump in where the software failed? Something like SoftX has a buffer overflow, trying to take control over the OS and install this spyware thingy, and the OS would just reject the overflow of the application? Along the lines “Your lack of security, doesn’t mean I will let you!”
Now to the real world: Firefox has a problem on may 9. May 11 there’s a fix. That’s just 2 days. 3 for the general public, OK. But that’s just quick isn’t it? IE patches generaly are released weeks after. So it’s quite a record. Oh no, I’m sorry, that record is held by Netscape 8.
Lesson learned:
try {
fnTest(myBaby) {
bResult = fnRunTestRound(myBaby, aUsers, nTestRounds);
if (bResult == 'OK') {
return bReadyForRelease = True;
} else {
fnReleasePatchASAP(myBaby);
return bReadyForRelease = False;
}
} catch {
fnReworkApp();
}
Previous article: XTech 2005 Conference Next article: The zombies are here
Related Articles
- Firefox: “The choice of criminals”
- If I may quote the 'Alternative browsers pose challenge for cybersleuths' article by C|Net: Internet Explorer hides nothing from police and other investigators who examine PCs to discover which sites the user has visited, according to...
- Which Browsers matter in 2006?
- If you are planning to build or rebuild a site this year you may wonder at some point which browsers you should support. If not, you should! Just looking at your new design in IE...
- WordPress 2.0 Cache Is Broken!
- As of version 2.0 of WordPress you'll get a caching feature, which means it'll 'remember' the most frequent accessed static information from your blog. This way it's supposed to not bother the database but...
2 Responses to “Safe browsers don’t exist. True.”
-
jordan willms Says:
May 30th, 2005 at 8:45 amHey!
Great article, I wrote something similar at http://www.jordanwillms.com/index.php/archives/2005/05/27/there-is-no-safe-browser-why-not-state-more-obvious-things/
I am including a link to your entry because I really like your explanation of exploits.
cheers
-
Caspar Says:
May 30th, 2005 at 4:05 pmThanks. Like your article too!