A few days ago Google decided to shut down its operations in China after a spear phishing attack directed towards Chinese human rights activists, as well as attempts to steal some of Google’s intellectual property. It is presumed that the attackers sent exploit-ridden PDF attachments in emails to Google employees, thus attempting to gain access to internal systems that contained account passwords (some researchers’ opinions differ). This and similar attacks have been going on since mid-June of 2009 and affected over 30 companies around the world.
What’s different this time is Google’s response to the attack, as well as a number of governments (like France and Germany) that made public announcements recommending that their citizens stop using Internet Explorer, since the attacks were targeting this browser’s vulnerabilities.
Online security is a lot like an inflatable balloon. If you squeeze a balloon, the air will extend the part with the least resistance. When it comes to security, attackers will most likely go the path of least resistance that promises the greatest rewards at minimum risk. In this situation, I really don’t understand why advising millions of people to stop using a specific browser will somehow protect them from future attacks. Let’s say everyone starts using only Firefox, or Chrome. Are hackers going to give up and never write another exploit again? Not only this boycott of IE is not going to be effective for the general public, but since governments usually use IE as their default browser in all of their institutions, imagine the logistics required to make the changes across the board.
Tricerion protects its users in a way that is completely independent of browser functionality and vulnerabilities. Our graphic passwords are stored in a database in such a way that this information is not possible to interpret and reuse from the outside. Effective authentication methods should not rely on specific browsers, nor should they be threatened by the vulnerabilities in other companies’ software products.