Trusteer Says German Government Advice on Web Security Not Optimal

Browser Vulnerabilities will Keep Cropping up

(21.01.10) - Weekend reports that the German government has advised Internet users not to use Internet Explorer may not be the optimum solution to the problem of Web browser security, says Trusteer, the customer protection company for online businesses.

"The German government appears to be taking a knee-jerk reaction to reports that hackers have been exploiting an IE security weakness, but the problem is that, even if users switch to another Web browser, they are still likely to encounter similar potential security problems," said Mickey Boodaei, Trusteer's CEO. "What is really needed is a high security - but light-weight - browser security service that creates a secure environment between the users' keyboard and the Web site, so preventing man-in-the-middle, man-in-the-browser, phishing and similar attack methodologies," he added.

According to Boodaei - whose company has a number of prestigious banking clients whose customers use the firm's security technology to protect their online banking sessions - the German saga is in danger of descending into a war of words between the regulators and Microsoft, leaving Internet users to fend for themselves on the security front.

Browser vulnerabilities will keep cropping up, and as such the concept of perimeter defense for the consumer's PC are not realistic. The German government, he said, should really be working to help Internet users make their Web banking sessions more secure, rather than steering users towards alternative browser software which may also have its fair share of security vulnerabilities

The problem, he explained, is that most Web browsers have vulnerabilities, in the same way that a regular telephone handset has potential for eavesdropping. What is needed is a technology - which is already available in the marketplace - to make the communication session more secure, rather than simply advising users to switch devices.

Trusteer's CEO went on to say that most of the vulnerabilities that his company hears about are discovered by researchers and then patched by the vendor, before being published. The problem is that, however, just like white hat security researchers, criminals have their own research activities and they find vulnerabilities which obviously they don't share with the vendors. And, he says, when they start exploiting one of these vulnerabilities, this is when it becomes a zero-day attack like the one used with Google.

"It's against this backdrop that we think Internet users need to understand that Firefox is actually not more secure than Internet Explorer. There are no significant architectural differences between the two browsers that would make Firefox less vulnerable," he said.

"Owing to its higher market profile, IE is tested more than other browsers by both the security and the criminal communities, resulting in more vulnerabilities being discovered. It's therefore important that the regulators understand this, and advise users accordingly," he added.

"If the German Government is advising on browser security will they next be telling Germans that they should not use adobe or flash as there are inherent risks and vulnerabilities in many widely used programs not just internet explorer?" he concluded. (Trusteer: ra)