| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: IE is just as safe as FireFox
Vincent Archer wrote:
>
>Other apps flatly refuse to work with anything but IE. None of these
>are strictly "web applications" anymore - they are applications that use
>an UI processor, which happens to be the HTML processor as well.
>
>
>
You see, this is precisely the problem.
HTML processors in web browsers should be designed to take in untrusted
data and treat it, exclusively, in an untrusted fashion. The problem
with latching "trust zones" onto this is that you provide a backdoor
that allows any person who can exploit the complex internal trust
relationships (or otherwise bypass it) to do whatever the HTML processor
allows it to do, which in the case of IE is almost anything.
The web browser was never meant to be a trusted application engine. It
was meant to display data, not interact with the software on your
computer. If done carefully and responsibly, add-ons that allow for
code launching are fine - as long as they can be removed at will and
without difficulty and do NOTHING transparently.
What we have here is misuse of a technology. That's where the root of
these problems exist. And any company that relies on the misuse of
technology, frankly, needs to address their IT strategy immediately and
think very clearly about what the ultimate end result of that is.
-Barry
p.s. There will always be buffer overflows and ways to exploit programs
using input, but following my line of thinking above, it becomes MUCH
easier to secure the browser so that those issues can be effectively
mitigated.
Powered by blists - more mailing lists