In a previous post, I wrote:
I also find it worrisome that people could trust those “hacker safe” images some sites have been displaying. [...]: even if the service that checks the site for potential problems works flawlessly (a big IF), [...]
Now there’s some data to support my argument: the best web application scanner finds 15.3% of vulnerabilities.
Some security problems are, in a way, social problems. That means they can be solved, at least partially, by telling users what kind of behavior is safe and what they can trust. There are a quite a few people who don’t believe this (Jakob Nielsen doesn’t, and he’s not alone). I don’t think that we’ll ever get to a point where security is so transparent that it’ll be there, do its job and stay unnoticed — not because I think security won’t evolve, but because it’s a fact that attackers evolve just as fast as security measures, if not faster.
The problem is that it’s too hard to teach users anything. First you tell them they can’t trust URLs (because it’s hard to teach them how to recognize the domain and file parts in an URL, etc), then someone wants a “.bank” that all users must trust. Then you say they can’t open EXE attachments, and along comes the Microsoft Word zero days. “What? Why can’t I open his resume?”
So what can users be told about the websites that like to display the results of their web application scanner testing? Don’t trust the images? Then why display them?
Yes, don’t display them, and no one needs to tell users anything. Thank you.