lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 2 Sep 2003 11:17:47 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "'Simon Brady'" <simon.brady@...go.ac.nz>,
	<bugtraq@...urityfocus.com>
Subject: RE: RIP: ActiveX controls in Internet Explorer?


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



> -----Original Message-----
> From: sb@...ngmao.otago.ac.nz 
> [mailto:sb@...ngmao.otago.ac.nz] On Behalf Of Simon Brady
> Sent: Sunday, August 31, 2003 6:43 PM
> To: bugtraq@...urityfocus.com
> Subject: Re: RIP: ActiveX controls in Internet Explorer?
> 
> 
> On Sat, 30 Aug 2003, Alun Jones wrote:
> 
> > The descriptions I've heard of this suggest that this 
> patent could be 
> > applied equally to prevent (or grab payment from implementors of) 
> > Javascript, Java, Flash, etc.
> > 
> > I'm with you on the security issues with ActiveX (and 
> Javascript) - I 
> > disable ActiveX on the principle that it has no security 
> > consideration, and Javascript on the basis that it's been 
> frequently 
> > implemented in a vulnerable manner.  But this is a considerably 
> > further-reaching patent than merely killing off ActiveX.  Before we 
> > sing "ding dong the witch is dead", let's have some concern for the 
> > peaceful Wiccans that might be next on the chopping block.
> 
> Java and Flash aren't exactly free of security issues either. 
> In fact, I 
> would go further and argue that the whole notion of a controlled 
> client-side runtime environment for remote code has been an 
> unmitigated 
> disaster for the web (and this is solely from a security 
> perspective - see 
> http://members.optusnet.com.au/~night.owl/morons.html for a 
> refreshing 
> take on the usability crisis they've caused).
> 
> I'm not just referring to current implementations with their 
> appalling 
> defect rates. All client-side runtimes, no matter how well-written,  
> inherently reduce security. That's their function: to give outsiders 
> access to your machine they otherwise wouldn't have.
> 
> Even more insidiously, their prevalence numbs users into a 
> mode of thought that it's quite normal and healthy to let 
> this happen. How can the security community promote safe 
> browsing when users are being forever brainwashed into 
> ignoring or disabling security features for the sake of 
> pointless but pretty downloadable applets? How can we 
> encourage content developers to reduce attack surface when 
> fashion demands yet more gratuitous bells and whistles?
> 
> Web applications belong on the server. The more widely this 
> patent gets applied the better off the browsing public will be.

Client side applications have problems. Server side applications have problems. Anything you use has problems. Anything could have a security hole in it. Further, when you are talking about "all client side runtimes" -- you may not have meant this, but you are talking about the browser itself.

Client side applications may often involved "pointless but pretty" websites, but they are also used in just about all ecommerce sites. The pros and cons of these sites people could forever debate, but personally I love being able to buy stuff in the middle of the night or from across the planet. Who doesn't? And, where else can you shop for a new car and not have to deal with annoying sales people? Where else can you surf for buyer opinions, the best rates, and do your shopping -- but on the internet? [I am not even mentioning doing online bills, loans, or countless other such tasks which are made easier by these things.]

I will not lie, there is a lot of "attack surface" in a browser. There will only be more and more as the years progress, if anything. The browser is our most central and basic connection to the internet. As such it is destined to become more, not less.

Client side attacks will continue to be popular, but bugs being found in clients does not mean these clients have become less secure. In fact, if you look at applications' bug histories you will note that the bugs generally become harder and harder to find, and the time between bug fixes becomes further and further apart. This rule holds generally true with all applications.

But, why will client side attacks continue to be popular? There are some very simple reasons. One, everybody has a client. Not everybody has a server. Two, client side attacks bypass just about every type firewall people may have. Three, client side attacks remain remote attacks, despite the fact that everybody has a client. Four, yes, there is a wider attack surface than that which can be found on servers (generally). 

Four good reasons why these attacks will remain popular.

At the end of the day it all comes down to one's acceptance of new technology. Are we demanding that we stay with yesterday's technology, or are we able to go forward with new technology? Must we insist websites use 1994 type technology? Is this kind of insistence not really based on nostalgia? Is there no danger to nostalgia?

Apologies for all of the posts this week.

> 
> --
> Simon Brady                             mailto:simon.brady@...go.ac.nz
> ITS Technical Services
> University of Otago, Dunedin, New Zealand
> 
>     I don't speak for my employer, and they don't speak for me.
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP1TeywkWkugjEnC3EQLGwgCgrZ+pE8Jv/UqA0Kcve7Nh7dfoyoMAoKwh
aMBVmp4cy1pUQ4uTsoK/OITY
=etUG
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ