The Harry Callahan Postulate

What kind of weight do you put in different browser defenses?
– Process separation? Plugin isolation?
Origin header support?
– X-Frame-Options, X-XSS-Protection? Built-in reflected XSS protection? NoScript?
– Automatic patching? Anti-virus? Safe browsing lists?

Instead of creating a matrix to compare browsers, versions, and operating systems try adopting the Harry Callahan Postulate:

Launch your browser. Open one tab for your web-based e-mail, another for your online bank. Login to both. Then click on one of the shortened links below. Being as this is the world wide web, the most dangerous web in the world, and would blow your data clean apart, you’ve got to ask yourself one question: Do I feel lucky?

Well, do ya punk?

http://bit.ly/ddoHd8
http://bit.ly/A6Ca
http://bit.ly/wszWO
http://bit.ly/lSxst
http://bit.ly/OApJX
http://bit.ly/SAFEST

If you don’t feel safe, then you should reconsider your browsing habits or at least make an effort to bring your computer’s patch level up to date.

3 thoughts on “The Harry Callahan Postulate”

  1. You can get an informational page for a bit.ly link, including the destination URL and page title, by appending a plus sign to the URL. So, for example, navigating to http://bit.ly/ddoHd8+ will inform you that it links to an MSDN article about JSON without actually taking you there.

    I rather like the appropriateness of SAFEST’s referent, given its name.

    Out of curiosity, what’s A6Ca targeting? It looks like some kind of NAT gateway, given the IP. If I had to guess I’d say it’s a Linksys home router.

  2. [Spoilers!] A6Ca was taken from a CSRF example. It’s meant to show how a link on the Internet can affect your intranet — even your very own home router. (And it’s quite old by now that that even though it’s “weaponized” it shouldn’t affect anyone who pays minimal attention to security updates or security settings.)

Comments are closed.