Perspective Is Not A Liquid Asset

ZDNet has an article out discussing a study that shows that that Chrome’s (Open Source) auto-update system makes the browser more secure than the alternatives. Disclosure: Google co-authored the study. I work for Google, on Chrome. Caveat emptor.

Back when I did security for a living, I quickly noted a distinction between those who saw things as white vs. black and those who viewed things in risks. White vs. black is the mentality of the attacker (you only need to pwn one system, not every system) and of green defenders who can’t yet distinguish severity or haven’t been thought to think about defense in depth. A risk-based view of security pays a lot more attention to questions of who you’re securing a system against and for how long. In this world view, threats are risks to be evaluated and mitigated, not a constant stream of sky-is-falling crises. A risk based view says “yes, the sky might be falling somewhere, but what are the odds it’s falling on me? And even if it is, what’s the worst that can happen?” If the likelihood is high and the severity is high, spend a lot of time on it. When you view security in terms of risks to be mitigated, you make very different tradeoffs. If you think you need to (or even can) control and eliminate every risk, than you might be tempted to build brittle systems. If, on the other hand, you acknowledge that humans are invoked (and are fallible) and that sometimes things break, you might give up a little control to get to a better place on average and be willing to suffer some minor setbacks on the way there.

The difference between Chrome’s update system and that of other browsers is that the Chrome updater turns the dial all the way in the direction of mitigation, treating the window of vulnerability as the most important factor in the risk of an attack. It’s more important in this world to mitigate an attack than to have asked the user if they want their system to be updated. Is there any other right answer to that question for most users than “yes”?

Here’s where the knives come out: rational people with very different perspectives often want totally different things. System administrators for large organizations – tallented people whose job it is to personally assess and deal with risks – may disagree with this policy since it introduces new risks which they can’t effectively mitigate. The Chrome answer to these concerns has been to treat them as the special case they are. You can easily get the standalone installer that doesn’t include auto-update, but it’s not something that’s advertised on the main download page. Why? Because it’s not what will keep most users secure.

The default Chrome update model is designed around the perspective of the average Chrome user. Not the vocal minority of those who know enough to build Chrome from source or even for corporate IT administrators. Their needs are real, and their perspective is valid, but it is not common and should not dominate the discussion about what is best for the majority. If we’ve learned anything through most GUI Open Source projects, it’s that developers have a hard time empathizing with the needs and skills of most users. This shows up in many places, but perhaps the most curious place of all is the extra confirmation box that asks you if you’d like to have a secure browser or an insecure browser. To anyone but an IT administrator or a developer, it’s not a legitimate choice, it’s an opportunity for failure with the deck stacked against you.

I’m glad the Chrome team has prioritized security through convenience at the expense of the illusion of control. It’s one of those things that’s obvious once you change your perspective. Too bad it’s not nearly as easy as it sounds. Everyone’s selling their point of view, but there are predictably few buyers amongst the already enfranchised.

Hat tip: Glen’s excellent ChatGraph.

5 Comments

  1. Posted May 5, 2009 at 2:40 pm | Permalink

    SPELLING!

  2. Posted May 5, 2009 at 2:42 pm | Permalink

    I think this system *only* works when the product is open source.

    I have an immediate objection to blindly installing binary blobs of closed source software regardless of who the publisher is. I can’t count the number of times Microsoft security updates have introduced additional security problems. This is why so many large organizations dislike this model.

    What makes me really love what Chrome has done is that it’s open source and you can easily turn it off the updater. But it defaults to a model of increased security and, for those that care, transparency is offered to the updates through viewing the source.

  3. Posted May 5, 2009 at 3:14 pm | Permalink

    Sorry, Glen. Updated now.

    = \

  4. Posted May 5, 2009 at 4:47 pm | Permalink

    mikeal:

    I’m not so sure about that…being open source lets a small group of people determine if something is good or not, but it doesn’t automatically create a motivation for those people to go and dig in and spend their time doing so. The white lie of Open Source is that while many eyes may make all bugs shallow, most eyes are worthless (have zero bug-finding value) and that the ones that are valuable are much more likely to look if there is some benefit to them for doing so.

    As someone who builds OSS software for a living, I don’t know that I could distinguish a “good” update from a “bad” update via any mechanism other than the one employed by OSS software updates: does it hurt the canary users? If not, it’s likely safe. There’s more to the evil/non-evil decisions in Chrome than the decision to release source, and I think there’s real room here for closed source products to benefit from the same mechanism. They might need to work harder to build the trust required to make the auto-updater a good idea, but that’s just down to building a good product. No development model has a monopoly on that.

    Regards

  5. Posted May 6, 2009 at 12:47 am | Permalink

    I’m interested to know if the “System administrator for large organizations” case really should be treated differently.

    I think for many admins, the risk of being sacked as a result of breaking something outweighs the risk of being sacked from a security breach. The security breach is easier to blame on someone else.

    I’m of the belief that ‘undo’ is a better model.
    http://directwebremoting.org/blog/joe/2009/02/04/undoable_silent_autoupdate.html

    (Aaron’s point about making access to user data harder is a true, but surmountable problem, and a price that is worth paying to keep the maximum number of people on the latest version.)

2 Trackbacks

  1. By WebDevGeekly » Blog Archive » Episode 13 on May 7, 2009 at 9:46 pm

    [...] Alex on Chrome Security model * [...]

  2. [...] As I’m sure all the blags will be a-twitter with shortly, Chrome 2.0 is now out to everyone, and it’s even faster. Yes, V8 got some polish (new compiler infrastructure FTW!), but the big speed news from my perspective are in other parts of the browser. Chrome 2.0 moves fully away from the Windows networking stack to Chrome’s faster networking infrastructure and includes changes to allocators that make the DOM go like hell compared to previous releases. There’s lots of great feature work in 2.0, of course, but now’s not the time for us to bury the real story: Chrome, fast as it was, just got even faster. Thanks to silent auto-update, it’ll even make the web faster faster. [...]