lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <419E3B8C.6010806@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: IE is just as safe as FireFox

Vincent Archer wrote:

>
>Other apps flatly refuse to work with anything but IE. None of these
>are strictly "web applications" anymore - they are applications that use
>an UI processor, which happens to be the HTML processor as well.
>
>  
>
You see, this is precisely the problem.

HTML processors in web browsers should be designed to take in untrusted 
data and treat it, exclusively, in an untrusted fashion.  The problem 
with latching "trust zones" onto this is that you provide a backdoor 
that allows any person who can exploit the complex internal trust 
relationships (or otherwise bypass it) to do whatever the HTML processor 
allows it to do, which in the case of IE is almost anything.

The web browser was never meant to be a trusted application engine.  It 
was meant to display data, not interact with the software on your 
computer.  If done carefully and responsibly, add-ons that allow for 
code launching are fine - as long as they can be removed at will and 
without difficulty and do NOTHING transparently. 

What we have here is misuse of a technology.  That's where the root of 
these problems exist.  And any company that relies on the misuse of 
technology, frankly, needs to address their IT strategy immediately and 
think very clearly about what the ultimate end result of that is. 

             -Barry

p.s.  There will always be buffer overflows and ways to exploit programs 
using input, but following my line of thinking above, it becomes MUCH 
easier to secure the browser so that those issues can be effectively 
mitigated.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ