lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4050E578.18684.28F383C6@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Browser security was Re: MDKSA-2004:021 -
 Updated mozilla packages fix multiple vulnerabilities

Gary Flynn <flynngn@....edu> wrote:

<<snip>>
> What I'd like to see personally is a right-click "temporarily
> disable/enable risky functionality for this site" option so this
> functionality can be turned on and off easily for those users
> willing to put up with the discomfort of day to day web "browsing"
> without scripts but not willing to put up with having to go
> through three or more configuration screens for a temporary site
> visit.  ...

Hear, hear!!

> ...  Yeah, I know, make it too easy and you get the email attachment
> syndrome but I think the feature would overall encourage more people
> to try browing in a safer default configuration than today's
> mechanism.  ...

Or maybe not.

Regardless though, why make it so fricking difficult for those who _do_ 
want to use your browser "safely", rather than with some developer 
amalgam "convenient average" setting?

> ...  You fight human nature and you lose.  ...

8-)

> ...  It could always be
> disabled by a master switch in an organizational policy. Shoot,
> even security vendors make use of script on their web pages
> and I think most of us would have to admit having to go to a site
> requiring script and forgetting to turn it back off at least
> once. :)

Of course, solving more or less the same problem set was the intended 
aim of IE's security zones.  The big problem there is MS never went to 
any trouble to make it at all clear to the user what the point was, 
never made it easy to drop a site into the "Trusted Sites" zone and, of 
course (we are talking about Redmond after all), defaulted "world plus 
dog" into the "Internet" zone with laughably pathetic security settings 
so "everything would work out of the box" (especailly all the 
inevitable security exploits) so no-one with less than a truckload of 
clue would ever have any motivation to even _think_ about the very 
important issues underlying it all...  (Kinda makes you wonder why they 
even bothered devising the secuirty zones from the outset and 
implementing all the infrastructure thereunder, but I'm sure the 
shipping configuration was yet another win for marketing over technical 
nouse.)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ