Bugtraq mailing list archives
Re: Phishing - feature or flaw
From: "David A. Wheeler" <dwheeler () ida org>
Date: Mon, 27 Jun 2005 11:07:31 -0400
Secure Science Corporation Bugtraq <bugtraq () securescience net> said:
Regarding certain vulnerabilities that are being discovered such as http://secunia.com/multiple_browsers_dialog_origin_vulnerability_testAre these really features, or are they flaws now because of the phishing threat vector. Originally javascript/DHTML/DOM is pretty powerful and can do a lot of nasty stuff if someone were inclined. But phishing has caused us to take a look at the once dubbed features of DHTML, and possibly put responsibility onto the browser vendors for fixing these now dubbed "flaws".For example, is this a flaw - https://slam.securescience.com/threats/mixed.html
As has been often noted, "without a specification, the behavior of a system cannot be wrong, it can only be surprising". In the long term, it would be good idea for the browser makers to get together, agree on, and _write down_ what security properties users can count on in their browsers. E.G., what threats are they designed to counter? What are their security objectives & requirements? What countermeasures are the bare minimum? Then, if a browser did or didn't do something related to security, people could appeal to that "minimum standard". If Microsoft (IE), Mozilla (Firefox), Opera, Apple (Safari), and KDE (Konqueror) agreed on something, it'd probably go somewhere. That would at least create some sort of basic "floor" people could more-or-less count on. But right now, dancing on the head of the pin of whether something is a "flaw" is pointless. Browsers are widely used by ordinary users who simply don't understand this "computer stuff".. and they won't gain that understanding tomorrow, either. So, if an ordinary low-knowledge user can be easily tricked into dangerous behavior by the brower's actions, AND there is a reasonable countermeasure that the browser could deploy, THEN the browser should incorporate such a protective measure. Yes, 'easily' and 'reasonable' and other terms are really ambiguous, but since there's no real security specification for browsers, that's where we are at right now. (Yes, I'm fully aware that these naive users wouldn't read a spec.) --- David A. Wheeler
Current thread:
- Phishing - feature or flaw Secure Science Corporation Bugtraq (Jun 25)
- Phishing Solutions (was: Phishing - feature or flaw) Chris Brenton (Jun 27)
- <Possible follow-ups>
- Re: Phishing - feature or flaw David A. Wheeler (Jun 27)