I have said, that is what end-users should do and if all end-users globally would do so, this would have a definite impact.
Then what I have said initially is a conclusion I slowly and surely developed over the twelve years of diving into 3rd party cold recon website security here mainly in the V&W section. It dawned slowly upon me by seeing thousands and thousands of websites that were, where website security is concerned, so-to-say effectly “under par”.
Most of these websites did not reach a mere F-grade status, an occasional C-grade, some A and A+. All the PHP-based CMS driven websites with user-enumeration and directory listing enabled, making it easy enough for average hackers to compromise such sites.
Then where developers are under enormous time pressure to deliver and security is a last resort issue. Then the devastating influence of certain almost global mono-cultures, like the one Google over time has created almost globally.
Summa sumarum it created just that feeling of gloom and a bit of despair with me, just simply because I see things go in a worse direction, I see little overall improvement. All such postings in the virus and worms and what did it bring us in the form of retired vulnerable libraries, left code to be retired, improved and extended security header security layers. Did it stop developers cut and paste code from github, weaknesses and flaws included. It educated a few, but it all comes too little and too late and too far in between.
OK, we now have more websites with better secured connection, thanks Google Safebrowsing, but more that has gone out of sight into the cloud. CloudFlare has become an important global data player.
But as a conclusion, when you close your eyes to it, the problems behind all this, won’t go away. The pink elephant, that no-one wants to mention is there, and is not going to leave the room.
Small example of everyday analysis, I hate to see such vulnerabilities for an Apache Guacamole webserver in Kassel in Germany for instance, when an OP laments of his website being injected by malcreants:
ils.com/vulnerability-list/vendor_id-4 → https://www.shodan.io/host/5.9.88.114
I see this neverending circus everyday. That is why I am waiting for a tiny bit of positive news, better security education for website developers and pentesters. Less managers to decide, most of them without any relative knowledge, how to dodge additional security expenses. Can you imagine why I feel like this, and still not have given up on those, that will come here for recommendations, advice and help.
Damian aka polonus