| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Jun 2004 09:59:21 -0500 (CDT) From: Ron DuFresne <dufresne@...ternet.com> To: Nancy Kramer <nekramer@...dtheater.net> Cc: "Burnes, James" <james.burnes@....com>, <1@...ware.com>, <bugtraq@...urityfocus.com>, <NTBugtraq@...tserv.ntbugtraq.com>, <full-disclosure@...ts.netsys.com> Subject: RE: Microsoft and Security On Mon, 28 Jun 2004, Nancy Kramer wrote: > There are lots of sites written only for IE or clones of IE like > Opera. Some large sites are written only for late model IEs. Many are > from large companies. Big business thinks MS is the state of the art and > the only way to go for business. You have a choice do it their way or > don't get the benefits of their web site. They play to the user who has > AOL, uses only IE and Outlook with all the defaults on because if MS does > it it must be right and they really have no interest in changing things or > knowing about them. People believe they are protected by big companies > like MS. They are fools but then like a friend of mine always says > "business people are stupid". nancy, some of this has to do with lazy webdesigners[1]. I recall a time not too far back whence sites were setup for users that used GUI versions of browsers, and those that used text based browsers, a cliet could browse the site from the best perspecitive of the SW they were using. This even became more prevalent for a short period when things like 'frames' and such came into the html lingo. And there were even some sites back then that had a 'ie view' as well as a 'netscape view', some still offereing a thrid 'text only view'. Course, this gets to be time comsuming and tedious for the person laying out all that markup code and crafting all those cgi's and java/perl/php/activeX gunk, let alone trying to tailor dynamic pages such that they know how to play with the client browser in use. EI plays well with the M$ fav good ole security issue in it self, front page, which produces markup code with a slant towards IE specifics. Of course, security companiees, though advocating that active c0ntent not be enabled in client vrowsers for the reasons we see over and over in the security related lists have also long since given up the ghost. A person can fall asleep at the wheel trying to count on the fingers of one hand the number of 'security specific' or 'security related sites' that do not engage in actve content themselves. Thus most of the warnings and recomendations to turn off the abilities of a browser to parse the more potentially dangers dynamic aspects of html, fall on deaf ears all the wat around, from end users on up. The bigger flaw here I see is that which hits when the industry itself pushes content in denial of the realities they posture. Thanks, Ron DuFresne [1] lazy is perhaps over strong here, and puts perhaps too much blame on those tasked as content maintainers, who are actually often driven from a corporate expense model, and often not making the core design decisions on their own. Only minor offences meant in the 'lazy' designation. Of course, then agian how many sites still maintain content for text based broswers these days in addition to all the glitzy dynamic content they put up for exploit? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists