I've read several interesting security posts on which browser security plugins/add-ons/extensions are best for securing your online activities. After reading through some of these, I began to wonder, which plugins should we be recommending to the Ordinary Computer User, what plugins should we be recommending in a security awareness program? I posted this question to a security forum and several security professionals and got a huge range of answers, more divergent then I expected. However, after putting a list together and reviewing all the possibilities, I came to a surprising conclusion. I would not recommend any new security plugins for the OCU, the disadvantages outweigh the benefits. These are my reasons why:
- Today's latest browsers are 'secure enough' for most OCUs. As long as end users are using the latest version of their browser they have most of the security features they need, such as Smartscreen (blacklisting), sandboxing, etc. Each browser is a bit different in their security implementation, but overall I consider them good enough for most organizations.
- The risk today with browsers is no longer the browser but often the plugins. Many browser exploits attack outdated or vulnerable plugins (Flash, Quicktime, Java, etc). By asking OCU's to intall more plugins, we can send a confusing message. In addition, they may become confused as to which one is legitimate and which one is fake (Rogue plugins anyone?).
- An additional risk is that if OCU's install a plugin, they may not use it correctly, yet still think they are safe. The classic security plugin is NoScript. This is a powerful tool that most security professionals I know use. Unfortunately it is not the most user friendly. I installed NoScript on my wife's computer, it lasted ten minutes. She quickly grew so frustrated that she enabled NoScript to work with any site, disabling most of the security functionality. Even more dangerous, she may feel she is more secure as she has the 'security plugin' installed, even though most of its filtering capabilities have now been disabled.
Want to make end user's browser experience safer? Skip the security plugins, OCUs can only remember so much. My suggestion is make sure they know to always run the latest version and change their home page to Qualys's Browser Check page at http://browsercheck.qualys.com. And always remember, regardless of which browser version you are using, the most insecure part is the HumanOS running it.