On mySimon: Genuine BMW Baby Racer
BNET Business Network:
BNET
TechRepublic
ZDNet
TalkBack 9 of 38:
Next »
« Previous
Speak 4 urself, but not TO urself!
You guys are talking past each other. Yes, of course, from a security standpoint -- and from a good security standpoint -- it is highly desirable to just block script execution globally, allowing exceptions only for trusted sites. But in the real world, doing this is difficult. It is NOT supported by the security model in any of the major browsers, nor is it encouraged by the proliferation of sites out there today that become difficult to use or even useless if you do _not_ enable script execution.

So I am glad this issue is finally getting the attention and publicity it should have got years ago.

But now what would a realistic solution look like? Relying on an add-on is a really bad idea, especially if it is only available for a browser with only about 10% market share (Firefox). That just means that hackers will go ahead and develop the attacks, and target IE users, which are already an all too attractive target.

And please, don't smugly say "I use Firefox, so this does not affect me". It affects all of us, whether we use a vulnerable browser or not.

But back to a realistic solution: all major browsers will have to get security upgrades and the new default installations will have to have the new security features enabled by default. And these features will be? If we insist on IE's notion of 'zones', it will have to support a new set of zones, one that allows the distinction between sites trusted to run scripts, and those not so trusted.

More important, it needs to support a way for the technically-not-so-savvy user to _update_ that list of trusted/non-trusted sites, based on _reliable_ information.

One way to do this would be to support a secure certification program, much as VeriSign does with their SSL certificates: in order to get a certificate from VeriSign, you have to prove to them that you are who you say you are, and that you follow basic security procedures to keep your own site from being hacked. Once you prove this to VeriSign's satisfaction, you get the privilege of paying for the certificate.

Of course, this is not perfect either. It is possible to fool VeriSign into thinking you are much more trustworthy than you are. Possible, but not easy.

But it is a much better security protocol than the current 'system'.
Posted by: mejohnsn   Posted on: 03/23/07 You are currently: a Guest | Members login | Terms of Use
Reply to Story Reply to Message

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

Easy fix  nECrO_z | 03/20/07
Now were thinking .  Intellihence | 03/20/07
Not so easy...  ridingthewind | 03/21/07
So true, everything uses JavaScript these days. You would spend half of  DonnieBoy | 03/21/07
Maybe temporarily  John Sawyer | 03/23/07
Easier than you think...  doas777 | 03/21/07
Not completely true  TripleII | 03/21/07
Speak for yourself  JDThompson | 03/21/07
Speak 4 urself, but not TO urself!  mejohnsn | 03/23/07
Not true  CobraA1 | 03/22/07
That's probably been hiddenly addressed  Boot_Agnostic | 03/21/07
Hack the Hacker ?  JackSprat_1984@... | 03/21/07
Hacker vs cracker  John Sawyer | 03/23/07
Usage is the Final Arbiter  mejohnsn | 03/23/07
Firefox w/ noscript - not that difficult  not-a-zealot | 03/21/07
Maybe, but...  adsanders@... | 03/21/07
Not particularly amazing  lfugate@... | 03/21/07
not particularily true  cfortune | 03/21/07
Repeated  TripleII | 03/21/07
?  SmudgeTheFirst | 03/21/07
javascript  shryko | 03/21/07
use it yourself to sniff vulnerabilities in your own site  cfortune | 03/21/07
Guess it's time to restrict ECMAscript...  Resuna | 03/21/07
Old news....  PhilFrisbieJr | 03/21/07
So let me see if I've got this straight...  Heatlesssun1 | 03/21/07
Curiousity... Why write these codes in the first place  Fragash | 03/21/07
use linux; be secure  milkyway8754@... | 03/21/07
Javascript is cross-platform  JDThompson | 03/21/07
Wrong site...  cmjrees | 03/22/07
Hacker Conventions????  hrwaller | 03/22/07
Terrorists?  cmjrees | 03/22/07
Hackers? Burglars? Security?!!  dcellerd@... | 03/22/07
Depends  CobraA1 | 03/22/07
Hacker Cure?  crawdad2k | 03/22/07
This is why I use NoScript (nt)  CobraA1 | 03/22/07
BTW, NoScript just updated to help prevent this (nt)  CobraA1 | 03/27/07
Re: BTW, NoScript just updated to help prevent this  bill deville | 01/16/08
One unanswered question...  Night_Bengal@... | 03/25/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
advertisement
  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More