Trying Life Without Flash and Browser Java
Paul Ducklin has an interesting piece on HTML 5. Although browsers have been building HTML 5 support into their browsers for a while, it officially became a standard as of October 28th. As the press release from the W3C Consortium states
HTML5 brings to the Web video and audio tracks without needing plugins; programmatic access to a resolution-dependent bitmap canvas, which is useful for rendering graphs, game graphics, or other visual images on the fly; native support for scalable vector graphics (SVG) and math (MathML);
At Ducklin's suggestion I'm going to try life without the plugins. I've removed flash from my work laptop entirely, and I've disabled browser Java. If this experiment works, that's two fewer updaters to worry about and two sets of security alerts that won't affect me. This could be a good plan for reducing the attack surface of an Enterprise, provided you have no business applications that depend upon browser Java. If you do, there's the two-browser strategy: surf the web in a Java-less browser, and use a different browser for Java applets you must run.
I'll give this a try and report back on how it works.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.