Perspective Is Not A Liquid Asset
ZDNet has an article out discussing a study that shows that that Chrome's (Open Source) auto-update system makes the browser more secure than the alternatives. Disclosure: Google co-authored the study. I work for Google, on Chrome. Caveat emptor.
Back when I did security for a living, I quickly noted a distinction between those who saw things as white vs. black and those who viewed things in risks. White vs. black is the mentality of the attacker (you only need to pwn one system, not every system) and of green defenders who can't yet distinguish severity or haven't been thought to think about defense in depth. A risk-based view of security pays a lot more attention to questions of who you're securing a system against and for how long. In this world view, threats are risks to be evaluated and mitigated, not a constant stream of sky-is-falling crises. A risk based view says "yes, the sky might be falling somewhere, but what are the odds it's falling on me? And even if it is, what's the worst that can happen?" If the likelihood is high and the severity is high, spend a lot of time on it. When you view security in terms of risks to be mitigated, you make very different tradeoffs. If you think you need to (or even can) control and eliminate every risk, than you might be tempted to build brittle systems. If, on the other hand, you acknowledge that humans are invoked (and are fallible) and that sometimes things break, you might give up a little control to get to a better place on average and be willing to suffer some minor setbacks on the way there.
The difference between Chrome's update system and that of other browsers is that the Chrome updater turns the dial all the way in the direction of mitigation, treating the window of vulnerability as the most important factor in the risk of an attack. It's more important in this world to mitigate an attack than to have asked the user if they want their system to be updated. Is there any other right answer to that question for most users than "yes"?
Here's where the knives come out: rational people with very different perspectives often want totally different things. System administrators for large organizations – tallented people whose job it is to personally assess and deal with risks – may disagree with this policy since it introduces new risks which they can't effectively mitigate. The Chrome answer to these concerns has been to treat them as the special case they are. You can easily get the standalone installer that doesn't include auto-update, but it's not something that's advertised on the main download page. Why? Because it's not what will keep most users secure.
The default Chrome update model is designed around the perspective of the average Chrome user. Not the vocal minority of those who know enough to build Chrome from source or even for corporate IT administrators. Their needs are real, and their perspective is valid, but it is not common and should not dominate the discussion about what is best for the majority. If we've learned anything through most GUI Open Source projects, it's that developers have a hard time empathizing with the needs and skills of most users. This shows up in many places, but perhaps the most curious place of all is the extra confirmation box that asks you if you'd like to have a secure browser or an insecure browser. To anyone but an IT administrator or a developer, it's not a legitimate choice, it's an opportunity for failure with the deck stacked against you.
I'm glad the Chrome team has prioritized security through convenience at the expense of the illusion of control. It's one of those things that's obvious once you change your perspective. Too bad it's not nearly as easy as it sounds. Everyone's selling their point of view, but there are predictably few buyers amongst the already enfranchised.
Hat tip: Glen's excellent ChatGraph.