Connection refused – I don’t trust your browser

Two announcements recently took my interest:

• Microsoft to End Support for Old Versions of Internet Explorer
• HTTPS as a ranking signal

They both relate to probably the biggest single security vulnerability users face today – browsing the web. The attack vectors are wide ranging and varied, but in short, dodgy stuff on a server causes a browser to misbehave (sometimes with the help of the user).

From a technical perspective, reducing the vulnerability is straightforward:

1. Users need to keep everything on their clients updated to the latest patch level;
2. Users should only interact with servers they trust.

The challenge is it does not work like that, and no amount of user education will fix the problem.

The Microsoft announcement says some old browsers will reach end of life (sadly not until 2016).  Users of these old browsers will no longer get security updates – but if the XP experience is anything to judge by, then users will continue to use them.  There will be the almost certain call for Microsoft to give users more time.  To solve this problem, we need to come at it from multiple directions; constantly demanding fixes for old stuff is not sustainable.

Should service providers consider going one step further?  Should they refuse to accept connections from browsers that are known to be beyond support?  “Sorry, your browser is too insecure for use to let you have our valuable content, please upgrade and try again”.   Currently, the economics of the Web would probably make this unattractive.

This is then where the Google ranking announcement comes in.   Sites using HTTPS are to be given extra search ranking points.  I see this as the first stage of a web site being recognised as a “good network citizen”, or Trustworthy.  Should this concept be taken further?  For example, a web server could get more ranking points for:

• Rejecting connections from insecure browsers;
• Displaying an authenticated symbol of trustworthiness, from an accreditation body;
• Known to be running on the latest web server software;
• Etc.

Should Google consider displaying the Trustworthy sites clearly separated from the “use with extreme caution” sites?

At this point, it could start to turn and bring some balance to the economics.

I’d welcome your thoughts…