WebApp Sec mailing list archives
RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Fri, 28 Apr 2006 17:50:35 +0100
Uh, perhaps I'm not educated in the matter, but how does a site turn off Javascript support in the browser?
Sorry, poor terminology on my part; a physical site/client.
Hmmmm... - not too common, so it seems.
Well, MS often tend to be the spanner in the ointment when it comes to standards compliance, but even if you accept all of those MS vagaries, this is still counter evidence to the blanket "There is no such thing as path security" statement. Granted, the practical worth of it today (with the browser issues in evidence) is limited. ;)
Oh, I disagree here. In my opinion, these are NOT browser issues
Life is rarely so simple in the world of RFCs. One of the reasons the initial advisory took months to be released is that it wasn't possible to get a consensus on the root of the problem, and whether it should be addressed at the browser, at the server, or a combination of both. There was input from Microsoft, Apache, Mozilla, Apple, Galleon, KDE and Opera, but no consensus. In the end I recall the debate drying up, and the vendors who attempted to resolve the issue went for a URI canonicalisation approach at the browser, prior to path comparison.
As for SSL, I strongly disagree.
Me too! :p SSL is used as a blanket term for multiple protocols, some of which are flawed. Some cipher suites offer little or no protection at all, and most out-of-the-box SSL implementations are weak. And the crux is that the security of SSL depends entirely on the integrity of the local certificate management process, which generally is non-existent. I could go on, but suffice to say that a poor SSL implementation offers at best a false sense of security. Want to hazard a guess at what I have been playing with in my research time for the last few months? :) Martin... ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:info () corsaire com ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper?, (continued)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 27)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Dan Kuykendall (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 28)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Brian Eaton (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Armag (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 28)
- Re: [WEB SECURITY] Fundamental error in Corsaire's paper? Achim Hoffmann (Apr 30)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Armag (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Amit Klein (AKsecurity) (Apr 27)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 28)
- RE: [WEB SECURITY] Fundamental error in Corsaire's paper? Martin O'Neal (Apr 29)