Educause Security Discussion mailing list archives
Re: web browser security zones
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 11 Jan 2006 14:02:24 -0500
Valdis Kletnieks wrote:
On Wed, 11 Jan 2006 11:16:34 CST, Kevin Shalla said:in that zone), but not much. Do other browsers have such detailed settings by security zone? It appears that Firefox has very little granularity (just load images and popups) in the security setup.That's because the Firefox world-view is that *all* remote sites are untrusted.
Yet its default state for scripting and other avenues of attack is 'enabled' for *all* those sites it doesn't trust. If scripting is turned off for any browser, the number of defects that are available for exploitation have in the past been significantly less. The link below once went to a page listing defects and the ways that the defects could be mitigated without a patch. Almost every one said "disable scripting". I don't seem to be able to find that information in the new format. Interestingly, they also don't put dates next to the security patches anymore either so its hard to discern a timeline of security defects at one glance. ;) http://www.mozilla.org/projects/security/known-vulnerabilities.html I hesitate to defend a browser that has had a security defect at least every other month for the past several years but the ability of IE to give or take away functionality based on site is a good idea, even though it may presently not be used or implemented in the best way. The core functionality is in Mozilla too but hasn't been provided a user interface by the Mozilla folks: http://www.mozilla.org/projects/security/components/ConfigPolicy.html
At 11:54 AM 1/10/2006, David Gillett wrote:I recall that, a few years back, it was common for Microsoft to downplay IE bugs with this "must get user to visit a suspicious site" argument. And then some hacker crew broke into a hosting company and defaced 500+ legit websites, adding code that exploited some of those vulnerabilities.
Its repeatable. :) 2003 http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675 2004 http://www.cnn.com/2004/TECH/internet/06/25/internet.attack/index.html http://www.eweek.com/article2/0,1895,1730877,00.asp 2005 I don't recall any specific instances but there were lots of reports of various IE defects being exploited on hacked web servers (which I've seen more than once) and ad banners. This probably carries over into 2006 with the WMF exploits. It kind of follows the pattern of compromises being more stealthy than the huge and noisy ones of the past.
The notion that users can have any real idea, a priori, about the actual safety of any site is just false.
Amen. Or email attachments. Or links. Or downloads. Or processes running on their computers. :(
And David explains quite well exactly why. If, by some chance, your campus webserver gets defaced, then every single desktop that lists it as "trusted" is immediately vulnerable to compromise if they visit the now-hacked server.
Yeah, that is a real sticky situation. I cringe when I finally convince someone to set the IE Internet zone's security to high and they proceed to put external sports, news, weather, and game sites into their trusted zone. But looking at it from a risk assessment view, it has to be better than trusting the entire Internet. While there may be a hole you could drive a truck through, particularly if targeted, cutting the number of sites from hundreds of millions to a few hundred, certainly has to be a security improvement. Its important to keep in mind that just putting a site in the trusted zone does not automatically make the client vulnerable to a hack. Certainly, the opportunity for a social engineering attack is greatly increased but if your campus web site is hacked, that won't be too hard anyway. Generally, a defect will still need to be exploited...one that could be exploited in IE's Internet zone or Firefox's out of the box configuration if all it required was scripting to be enabled. Note also that the privileges granted to sites in the trusted zone can also be adjusted. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- web browser security zones Kevin Shalla (Jan 11)
- <Possible follow-ups>
- Re: web browser security zones Valdis Kletnieks (Jan 11)
- Re: web browser security zones Gary Flynn (Jan 11)
- Re: web browser security zones Gary Dobbins (Jan 11)
- Re: web browser security zones Gary Flynn (Jan 11)