I drew a bit of flack on my post examining Opera on security. (Summary -- reading from the same prayer book as always.) One thing keeps popping up though and it needs addressing. This is the persistent notion that users need access to their online banks. This is bunk, and the reasons are quite strong.
It is what the Americans call a strawman. It may be true at some level that the users need access to their online banking. But it is not true that the browser manufacturers are totally responsible for that provision. They are not.
The users have alternates -- at many levels. All users of Firefox and Opera generally have another browser. All users of banks have an ability to walk to the branch. Most users have more than one bank, most American users have a dozen. All banks have an ability to ship a downloaded client, or a hardware token. All server operators have an ability to upgrade. There are so many alternates in this equation that it would take days or months to document them all (it's probably already available from Netcraft or securityspace or verisign for $2500, and if it wasn't going to put you to sleep, it would be free, here).
All of these questions of access can be solved, notwithstanding notable exceptions to the above generalisms. Why then do the browser manufacturers take it upon their heads to assume complete responsibility for this? Well, perhaps we can see the answer in this response by Hallvord:
>> (Do you think the commerciality of the equation might
>> explain the laggardness of browser manufacturers here?)
>
> Now that's complete rubbish. Users feeling secure is essential to
> our existence while we get none of the payments to ISPs for those
> non-shared IP addresses. Where is the logic in this accusation?
Although every one of the other actors above has alternatives, they all cost money. Their browser does not. The banks make money on fees, and the users *pay* for their banking access. They choose the cheapest access because they are smart. The banks choose online banking because it reduces branch staff and telephone support staff. So they are smart - they save money that way. Online server operators do not upgrade because upgrading a server is costly. Sysadmin time, user disruption, etc etc. So they only do it when their business pays them to do it. That's smart. (CAs don't bother to check Id because it saves them money - smart. Until someone can show them why they should, they won't, because they are smart, and so are their customers!)
So for everyone one of those (other) actors, need is a relative thing, which dissappears absolutely if the price is not right. I need online banking, but if it's more than $10 a month, I don't need it.
Browsers on the other hand have no money in the equation (somewhat a generalism, but not an unreliable one). They apparently take on all the responsibility for user security for free, for reasons lost in the dim dark corridors of history. They have none of the cruel jungle feedback of the dollar to inform their security, they have instead the infinitely forgiving parental corporation that tells them what to do (Microsoft or Apple) or the feel-good social benefit of open source coolness (KDE, Mozilla) or the cozy position in the "user trust matrix" that comes with a handy dandy prayer book that tells you what to do if they happen to not have the others (Opera).
Browsers are therefore blinded to the alternates that all users have and use, and the users being the silly fools that they are aren't that bothered to inform browsers what they are up to. Because browser manufacturers do not see their sales go down and are therefore not part of the cost-saving cycle of general life, they have no feedback to rectify mistakes, and they fall victim to such stupidities as "browser users need their online banking, and we are responsible for that."
Browser manufacturers are just another victim in this game. Unfortunately, there are other victims - the users - and nobody much takes on their case, although everyone says they do. When I take on the case of the users, I necessarily cannot take on the case of the browser manufacturers - victims though they may be. I'm here to tell you that "we the users" think your reasons for not doing security are daft, and please don't invoke our names in it.
Posted by iang at May 29, 2006 08:31 AM | TrackBack> All users of Firefox and Opera generally have another browser
All sweeping statements are generally wrong ;-) You can't have both "all" and "generally". You mean "most".
I don't have another browser.
> All users of banks have an ability to walk to the branch.
Another untrue sweeping statement. Some exceptions: the disabled; the housebound; those who live in the countryside without transport; Antarctic researchers.
> All banks have an ability to ship a downloaded client
That'll work on Windows, Mac OS, Linux, or any other platform that people might want to use (which already has a web browser)?
You could argue that banks have no requirement to support all these platforms; but who wants to turn away customers?
> the users *pay* for their banking access.
Not in the UK. We have this lovely thing called "free banking"; if you stay in the black, you get cards, chequebooks, banking services, statements etc. and pay nothing. Sadly, I believe the USA is not so enlightened.
> I need online banking, but if it's more than $10 a month, I don't need it.
I disagree. I need online banking (which works in Firefox on Linux). If it's not present, or more than $10 a month, I switch banks.
My time is valued at a reasonable number of $ per hour. If my bank wants to waste that making me travel to branches, I'll choose a bank which won't.
Gerv
Awww Gerv! Attacking sweeping statements because minor percentage points are swept away with wanton disregard! That's rich, and as an editorial matter, it was addressed in the very next paragraph. So, I'll let you replace all sweeping statements with *your* estimates of what proportions are more accurate. Then multiply out the percentages, and you can claim that Firefox will serve the infinitesimal proportion of people who do not have another browser, cannot walk to the branch, and do not use XY OS.
To move onto your points.
> You could argue that banks have no requirement to support all these platforms; but who wants to turn away customers?
That's what happens, right?
It is the bank's *choice* to use these platforms, and no browser manufacturer *has* to deliver anything? A bank *chooses* to turn away customers every day of the week - we don't generally argue that they should stop this terrible practice, because the quid pro quo is that customers have a choice in banks.
> Not in the UK.
Hilarious. You pay for it other ways. *One* price sticker on it says "free." They want you to believe it is free, so you won't look too deeply. Congratulations, you are their perfect customer.
> I disagree.
You are in fact agreeing with me. "It's more than $10 a month, I don't need it" is the same as "It's more than $10 a month I switch banks" which is the same as "I'm switching to cash!" or "I'm joining a commune!" It's called switching, and people do it all the time. (Actually, not so much in Britain, they have a tendency to block switching there.)
The core point here your time is valued at a reasonable number of $ per hour. If your bank wants to waste that making you travel to branches, you'll choose a bank which won't.
You use online banking because it saves you money, not because you "need it". If we offered you something else, you'd use that, too. Until it was more expensive. Need is simply the wrong word, the wrong argument.
Posted by: Iang at June 19, 2006 12:19 PM