Don’t worry, I am not giving a whole tirade of why security is heavily overrated, because it is not. With all our personal information is trusted to sites and companies online, including very private or financial information if not worse.
And with malware being installed without permission, phishing emails being sent out trying to have you log in into malicious sites, or demanding payment of thousands of dollars to let you receive your lottery price from Somalia.
Sure, most things people can avoid by just using the web in a smart way.
But is that completely the right way to handle this? I mean, not everyone using the internet is aware what the right way to be on the internet is. And it has nothing to do with being dumb or smart… the idiotic coincidence is that most information about how to safely surf the web and behave is found… tadaaaah…. online. Which means that a person needs to know how to handle a computer, surf the internet, know how to find information you can trust, and then read it. If you are a total newbie on the web, this might have caused numerous occasions where the security of this users computer has been compromised.
Is that this user’s fault?
Another thing is the responsibility that certain web developers and web production producers need to take. Making sure their sites do not allow cross-site scripting issues, that their information is encrypted that should be encrypted and that after that, the servers are hosted securely.
But even beyond that. The whole DigiNotar scandal of last summer showed that you can have your transactions encrypted, and still be compromised. Producers of platforms that we all use; web browsers, servers, hardware, software, certificates… they all need to do their job.
I can make a perfect secure search box on my site, and have my server completely locked up… there is no 100% guarantee that it is perfectly secure. Who knows what 0-day leak they find in my operating system tomorrow.
And I do not care.
Yes. I dare to say it: I-Do-Not-Care.
The reason why is simple. I can’t afford to care about it. In the end, if you do things good, according to the books, it is all you can do.
I am not saying you should not worry about it, I am only saying that you have to rely on other people’s expertise, and if you do your research before choosing any kind of partner that delivers your platform… trust it. Find out what you can learn about them, about the product that you are using, prepare the product you are building on it and from that moment on… trust it.
Sure, it is dumb advice… because why should you trust big commercial multinationals that would sell their mothers if there is money in it. Because you simply cannot know everything there is to know to not to.
It is the same way how you step into your car every morning and trust that your brakes will work fine and in a case of an accident, that your airbags prevent more damage.
Should you just blindly then trust anyone. No, absolutely not. Do research, ask for references, check the references, reviews, and test.
Just keep in mind: Security does not keep you secure, it keeps you as safe as possible.
Airbags fail, brakes lock, you will never have a 100% security in anything. Don’t try to achieve it. Try to achieve the highest possible amount of security, and if you have the idea that that is still lacking, find ways to get it better.
But also, not everything needs to be secure, or you do not have to worry about it so much. If a search box on a news website is not cross-site scripting compliant, but there is no information stored in there that in any way deliver any private information – don’t lose sleep over it. Should you fix it? Sure. Would it be the highest priority? That is up to you.
Personally, I would think that the producers of underlying technology should do their part. What if, for example, a SQL or mySQL server receives a query that contains cross-site scripting from a dynamic form? It should be able to by default deny that query. And if a developer needs it, it can turn that safety check off. And there are more things like that.
It is like installing locks on your house. Sure, they can be picked and broken, your alarm system might be malfunctioning. But you have to rely on it. For example, take the problem with car alarms… who is really still looking up if another car sounds its alarm. No one. The police would not show up for one. People will not respond to it. It is also a false element of security.
And people themselves, surfing online without a clue? There should be a good level of security, but also there… we cannot expect that they stay 100% secure. It is the same reason why you are not allowed to drive a car without lessons.
But, after all of this, do not think that I am saying security is not important. It is, very! But you have to rely on the tools that are available to you. Make use of them. But chose them wisely, because you do carry the responsibility for your production to your users.
I think the moral here is, for each party involved, like in every other part of life: Take responsibility and in the words of Fox Mulder: Trust No One.