A pretty common thought about security is that you only need it for the high-security applications. We want high security for banks and identity management systems and things like that. But for our homes, we should be fine with not so much security. To a degree this is true - you have to judge the threats and countermeasures in a rational way, as I spoke about earlier in the post about Threat Models. But the real problem is that most people don't make these judgements, and even if they do they usually make a crucial mistake - which is to not take into account the cost to the network in general of having bad security.

The fact is that our current Internet is under constant attacks of many kinds, and most of those attacks are made easier by the lack of security in general. An example might be in order. A story came about recently about the HACIENDA program that the Five Eyes run. This is a program that searces the Internet in a specific country for computers that are open for exploitation. The reason they do this is so that when they want to attack a real target, they will attack from one of these third party machines instead of directly from their own machines. Doing it this way makes it much harder to trace and protect against attacks. Thus, having a lot of machines open for exploitation on the Internet actually makes everyone less secure.

The same thing is true for botnets. The reason we have a problem with spam today is to a large degree because of insecure computers that have been taken over and used for sending junk email.

A third example that recently came into the news. Web connections that don't go over HTTPS are vulnurable to injection. What that means in practice is that any site that sends material over HTTP can have data modified so that JavaScript is injected and executed in the browser. That means that having HTTPS on is something that is a net positive for the whole of humanity potentially. It also makes allowing HTTP a sign that you don't really care about your users at all.

All of these come to the same point. Your bad security, be it your Windows XP machine, or your HTTP-only website, are actively making the Internet a less secure place. But if you do your part, we can fight back. The Internet could be said to have an immune system - an immune system that is currently in really bad shape. But if we all innoculate ourselves, things can get better.