I'm not a perfectionist. I like it when things work well. But I'm okay with something that isn't perfect. Perfection is not an easy goal to achieve, nor in many cases is it realistic. Since earlier this year, I have been focusing heavily on better understanding the current security and privacy landscapes as it relates to the internet. This includes investigating secure communication protocols, encryption and obfuscation of transported data, tracking mechanisms, snooping methods, proxies, relays, VPNs, content injection, and more.
During this time, I've also come across two very common ideas. One is that security is hard. The other is that many people take a perfectionist's approach to security. The former is undeniably true, and anyone who says otherwise either doesn't understand the nature of the issues deeply enough, or needs to tame their ego slightly. The latter, however, is more dubious is nature.
Is perfection a reasonable goal in securing the web? I would argue it isn't. Desirable? Sure. Effective? Absolutely. Achievable? Perhaps not just yet. For security to be effective it needs to combine with usable technologies and interfaces. Real people simply aren't willing to give up a large amount of convenience for more (or any) security.
That's why I decided to contribute to Privacy Badger. Privacy Badger + Chrome isn't even close to as secure as something like Tor Browser, but it is more usable, and more accessible. Tor is amazing; I display Tor stickers on my laptop with great pride, and take advantage of its services regularly. At the same time, Tor isn't a mass market solution - and it really doesn't aim to be one. It's a specialized service that meets a very important need for a lot of people. Something like Privacy Badger serves a different purpose - it aims to take a small subset of what Tor offers and bring it to the users in a smaller package.
I'm extremely glad that amazingly smart people keep working on the state of the art in security, pushing the bar higher and revealing more types of vulnerabilities. At the same time, I'm encouraged to see large organizations making headway towards providing security for the masses, such as Let's Encrypt providing free self-signed certificates, the Google Chrome team who is reinventing security warnings, and even Squarespace's announcement of implementing TLS encryption for all their hosted sites. Not all security implementations need be perfect from the start, and it's the combination of these two that will allow us to create a more secure web.