This material is Copyright © 1997 by Matthew D. Healy <Matthew.Healy@yale.edu> of the Yale Center for Medical Informatics.
Date: Mon, 31 Mar 1997 11:29:03 -0500 From: Matthew.Healy@yale.edu (Matthew D. Healy) Subject: Meta-risks of browser flaws I fear the steady stream of news reports about yet another security flaw in this or that web program may give rise to some severe metarisks; I dunno which if any of the following possibilities would be most likely: o A "boy-who-cried-wolf" reaction -- maybe people will start ignoring stories about Yet Another Web Security Flaw. o An exaggerated fear of security problems may cause people to give up on the Web entirely. I dunno whether using the Web to buy stuff is more or less risky than using older technologies to accomplish the same tasks. I do know that older technologies are far from 100% perfect; for instance both my wife and my father have had their bank accounts hit by check forgers. o Those who favor tighter Government control over the Internet may use such incidents as "evidence" that the net community can no longer be trusted to run something that is rapidly evolving from nifty techno-toy to serious communications infrastructure. o Overly-rapid attempts to fix the known bugs in what are, by and large, kludges that were implemented in a big hurry may produce more and worse bugs. I strongly believe the root cause of most web-related security holes is that market pressures pushed developers to concentrate on implementing new features quickly, without taking the time to do it right. The most positive imaginable outcome would be for those who develop web software to slow down and focus on getting things right; anybody wanna lay odds on _that_ happening any time soon? Matthew.Healy@yale.edu http://paella.med.yale.edu/~healy