Copyright © 2009 What The Hell? Security
Q: What do phishing and drive-by malware have in common?
A: They’re both irrelevant before you click.
Simple, isn’t it? Eh, not so much.
If it were simple, there’d be an accurate way to anticipate the result of clicking. On links and “Submit” buttons I mean.
Yeah, I know what you’re gonna say. “IE tells me when I’m going to a dangerous site. “ “Google tells me when I’m going to a dangerous site.” “SiteAdvisor tells me when I’m going to a dangerous site.” Or worse, “My eyeballs have been specially trained to alert me to a dangerous site when I’m already on one.”
Assuming you’re right, you’re wrong. Handing the mother who raised you a thousand-dollar Starbucks gift card is not the same as not handing it to some stranger wearing a “I heart T.J. Max Coffee” shirt.
Furthermore, being told about crappy joe as the only means of avoiding it is about as useful as a barista telling you to avoid a particular street corner because T.J. Max Coffee currently has, and/or at some undisclosed time in the past used to have, a storefront there. (Me, I just prefer to know which street corners have a Starbucks or four. And of course there’s no denying that I’d also like to steer clear of that nasty T.J. Max java.)
I don’t care about how the vast majority of street corners are caffeinated by the way. There are an awful lot in the world, 99.99% of which could vend Piggly Wiggly Generic Drip for all I care.
Ditto with what lies behind 99.99% links I’m exposed to, and to a lesser degree, forms. When it comes to fraud, nominally speaking only a very few matter.
Tell me I’m crazy — and given the amount of time I’ve spent on this problem I just might be — but the only way I can think to prevent fraud in a world of post-click risk, is with a solution that tells you:
- authoritatively, and …
- prior to clicking, that …
- should you click …
- precisely what will happen …
By that third point, I mean precisely what will happen. Not as in “no fraud.” In the case of links, as in what’s there, and who put it there, and how can it be used, and how long it will be there, ad infinitum. In the case of forms, as in who’s receiving the information you entered, why they need it, how they’re going to use it, ad nauseum. The truth, the whole truth, and nothing but the truth.
Now there’s a concept: Truthful links and truthful forms when and where it matters. Sounds insanely difficult and ambitious, doesn’t it?
Eh…not so much.
