|
| |
|
|  moookid | Apr 22, 4:54am | Not particularly complicated stuff, but an important issue for end users none the less:
0x000000.com [0x000000.com]
To me it's similar to the spam issue: you could solve 99% of the problems by enforcing reverse DNS/ PTR checks, the problem is that everything would stop working properly because of the way systems have been designed (or miss configured in the case of your average MTA/domain). |
|
| 
| | Zephyr-The-Zeph | Apr 22, 5:42am | | I personally consider Consider CSRF and its Server-Side exploit friends {XSS, Malformed Jscript, Replay atttacks, Session Token Hijacking...} To be more of a failure of Browser Security implementation than of Web, Or even underlying Networking functionality. |
|
|
| | moookid | Apr 22, 6:05am | That's what I meant with my spam analogy.. you can prevent virtually all spam just by doing reverse DNS checks - the problem is that if you do that, alot of people's legit email will get rejected because their system doesn't have their reverse DNS setup correctly.
In theory it would be 'the best' solution for everyone to use reverse DNS/PTR check failures as an absolute indication of spam and kill spam forever - in practice however, this doesn't work because of the huge amounts of problems it causes.
So in the same way.. if you chose to resolve this problem through browser security, you would almost definitely end up restricting functionality in the way described in that article... if you do that - alot of stuff will break (not to mention the chaos it will cause with the various different implementations - look at cascading style sheets for an example).
I dont disagree with you really, I just think that the consideration is irrelevant since a browser-based solution isn't practical. |
|
|
| | Zephyr-The-Zeph | Apr 22, 4:08pm | Well, It depends on how broad you want to define 'Spam' as, i assume you are talking about forged SMTP messages, Not just 'unwanted' or unsolicited email.
I understand your hesitation about breaking past implementations, However, Think about this, Just adding an html tag, or a name which identifies certain site components as being 'user-generated and possibly hostile', or a simple 'You are posting information to xxx, This could compromise your security' on links which go to a site which is taking a post-type argument. |
|
|
| | moookid | Apr 23, 2:14am | Last time I checked - the only spam the security industry worried about was forgery stuff (since this is the method most botnets are using)
The problem with client-side preventative measures is that they will most likely be circumvented within hours of release. At which point the functionality ends up worsening users' security by giving them a false sense of security.. Not to mention the fact that users dont like pop-ups (and they generally can't tell, or dont care about, the difference between spam pop-ups vs. security alerts). Look at user reaction to the way Vista handles security issues: users don't understand, don't want to know, and definitely don't want to have to make descisions about information security (and I don't really blame them!). |
|
|
| | Zephyr-The-Zeph | Apr 23, 6:59am | | Who can blame them? However, Thats not to say that there shouldn't be secure coding on the Serverside, But browsers which can recognize what is and isn't malicious, Even *IF* it breaks some functionality are needed. Or how about this, Somewhat of a Browser paradigm of, Internet Explorer removes ActiveX, Throws out it's DCOM implementation, and Locks Down JS commands and has all of the previously mentioned 'deals'. In other words, A fairly secure browser, ANd if you are technically-inclined, You can opt for either a Different Version/Flip a Switch, or Go to FF. |
|
|
| | moookid | Apr 23, 7:15am | | I still feel it sends out the wrong message to developers. The reality is that developers, in general, need to be more security aware - and need to write better code. Focusing on the client side lets them off the hook somewhat - XSS,CSRF, etc. are virtually impossible to execute on a "securely coded" site - that should really be the objective here; treating the cause and not the symptoms. |
|
| 
Sponsor |  ntltrmllgnc | Apr 23, 7:27am | It's a cycle. The dirty secret is: The reason people react to Vista security so violently (disabling it) is because people instinctively think they're going to break the computer. Most people don't read anything at all, EVAH. So when that pop-up comes they think they have to DO something. It never occurs to them to read. I love Spybot yet those messages to allow or deny confuse people. So I set it to novice level and hope they don't visit a 419 site (and then blame me for the damage).
The solution: Implement an instant messenger in terms of pop-ups. Then people will know that they have to read first. |
| |
|
You need to Sign-up for StumbleUpon to post to this forum
| |
|
Hack → Discussion