lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <190DFDD2F99A65469B4B15D3658C0D2B71F4EB@ptc6.ponderosatel.com>
From: daniels at Ponderosatel.com (Daniel Sichel)
Subject: RE: exploits due to buggy validation


Dan Sichel
Network Engineer
Ponderosa Telephone
daniels@...derosatel.com (559) 868-6367
 

> 
> The correct solution to all such problems is simply to reject the 
> content as malformed.  And guess what will happen when you do that?  
> Several really crappy web design products will disappear because the 
> folk using them will drop them because no-one can see their 
> pages _and_ 
> the rest will suddenly become very inetrested in producing properly 
> compliant content, as they should have been from the outset.
> 
> Playing "guess what the moron really meant" is a recipe for being 
> screwed, so let's get over the previous "need" to "see it at 
> all cost" 
> and get some sense back into what folk are doing...
> 
> 
> Regards,
> 
> Nick FitzGerald

Sorry but you couldn't be more wrong. PHBs will require security
technicians to open holes in the firewall to permit the buggy content. 
The companies using web design products that produce crap pages won't
drop them. They will blame it on Apache, which won't be believed and on
Microsoft IIS, which will be. Microsoft will "extend" the tag standard
to allow this behavior and Mcafee will develop patterns to detect them
as fast as they can. Don't believe me? Do you have IM inside your
firewall? How about Macromedia Flash? Any Realplayer users?

The bad drives out the good. 

Dan Sichel


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ