Web surfing for dummies

The tradeoff -- or the blurring of red and green zones -- lies at the heart of the controversy. "Part of the quandary is trying to make that compromise between usability and functionality," says Charles Kolodgy, research director of secure content and threat management products at market researcher IDC. "People are going to want to download items, so you can either block all of it or warn them."

And it's a dubious proposition to put control in the hands of everyday Web surfers. For instance, many people believe that they can download files with impunity on a reputable site. Both Mossberg and Grimes tested products at known malicious Web sites, yet most malware today infects people through legitimate Web sites. "There's a good chance a popular site has been exploited in the last year or two," Grimes says.

Even when ForceField warns people that they're about to download potentially malicious code, this may not stop them. A Microsoft security intelligence report released in May showed some incredulous behavior: 88 percent of users chose to ignore a warning about BearShare, a software bundler, and continued to download the file; 68 percent ignored a warning about adware ZangoSearch Assistant; and 23 percent ignored a warning about a Trojan downloader.

"I guess they really wanted that [revealing] picture of Britney Spears," Grimes says. "You just can't leave trust decisions with end users."

Even security pros get duped. A couple of years ago, Kolodgy clicked on a link after conducting a Google search and -- wham! -- got hit by a drive-by Web attack. This attack requires the user to merely visit a malicious Web site. "It took me a while to clean the spyware off my machine," Kolodgy says. "I think ForceField would have protected me because the [spyware] never would have gotten to my registry."

Getting your head out of the sand

Unlike Grimes, Kolodgy believes virtual red-green computing holds promise. Because security analysts often go to nefarious Web sites, Kolodgy now uses a VMware Workstation virtual machine to visit them. Afterwards, he wipes the computer clean by punching the reset button.

"If you can do [virtual red-green computing] in a browser, it saves a step," Kolodgy says. "Desktop virtualization is going to be a benefit for security, and we're going to see more and improved products." In fact, security software vendors report that some malware will not execute if they detect they're running in a virtual machine. That's because many vendors use VMS for testing the exploits.

Regardless of virtual red-green computing's future, sandbox browsers today are not the secure products that many vendors make them out to be, Grimes says. "Security products in general are over-hyped, but these products seem to be much more so."

Judge for yourself. ForceField's promotional copy reads: "A protective layer around your browser, shielding you from drive-by downloads, browser exploits, phishing attempts, spyware and keyloggers. So your passwords, your confidential information, and your financial data remain protected."

Is this hyperbole aimed at the foolish consumer? The Test Center thinks so. "These new-fangled security client software products clearly don't work on the level that the vendors claim," Test Center's Dineley says. "They're basically asking you to flirt with disaster under the illusion that disaster can be averted."