The theory, the practice
But an idea that is not bad in theory may not be smart in practice, both security experts said. "It's just not feasible for the average user," said Huger.
"The reality is most users wouldn't know which one to run when," Thompson said.
Ironically, Lerdorf's PHP is a major cause of Web site vulnerabilities. According to Danish bug tracker Secunia APS, the most up-to-date version of the scripting language has been tagged with eight flaws since its November 2006 release. Six remain unpatched.
Lerdorf acknowledged last week that PHP's popularity and insecurity are parts of the XSS problem. There "is not much we can do" to tighten up PHP, he said during the keynote.
Correct, said Huger. "The vast majority of cross-site scripting vulnerabilities are because of the programmer," he said. Amateur developers often try their hand at PHP, with sometimes disastrous results, Huger said.
What's a user to do if the two-browser concept is so inconvenient as to be unreasonable? Use reason, said Huger. "Be very careful where you shop online, who you give credit card number to, how you get to your online bank," he recommended. "If you follow that advice, you'll be in good standing."