Full Disclosure mailing list archives
Re: Browser security was Re: MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 11 Mar 2004 22:17:28 +1300
Gary Flynn <flynngn () jmu edu> wrote: <<snip>>
What I'd like to see personally is a right-click "temporarily disable/enable risky functionality for this site" option so this functionality can be turned on and off easily for those users willing to put up with the discomfort of day to day web "browsing" without scripts but not willing to put up with having to go through three or more configuration screens for a temporary site visit. ...
Hear, hear!!
... Yeah, I know, make it too easy and you get the email attachment syndrome but I think the feature would overall encourage more people to try browing in a safer default configuration than today's mechanism. ...
Or maybe not. Regardless though, why make it so fricking difficult for those who _do_ want to use your browser "safely", rather than with some developer amalgam "convenient average" setting?
... You fight human nature and you lose. ...
8-)
... It could always be disabled by a master switch in an organizational policy. Shoot, even security vendors make use of script on their web pages and I think most of us would have to admit having to go to a site requiring script and forgetting to turn it back off at least once. :)
Of course, solving more or less the same problem set was the intended aim of IE's security zones. The big problem there is MS never went to any trouble to make it at all clear to the user what the point was, never made it easy to drop a site into the "Trusted Sites" zone and, of course (we are talking about Redmond after all), defaulted "world plus dog" into the "Internet" zone with laughably pathetic security settings so "everything would work out of the box" (especailly all the inevitable security exploits) so no-one with less than a truckload of clue would ever have any motivation to even _think_ about the very important issues underlying it all... (Kinda makes you wonder why they even bothered devising the secuirty zones from the outset and implementing all the infrastructure thereunder, but I'm sure the shipping configuration was yet another win for marketing over technical nouse.) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities Mandrake Linux Security Team (Mar 10)
- Re: MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities Florian Weimer (Mar 10)
- Browser security was Re: MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities Gary Flynn (Mar 10)
- Re: Browser security was Re: MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities Florian Weimer (Mar 10)
- Re: Browser security was Re: MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities Nick FitzGerald (Mar 11)
- Re: Browser security was Re: MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities Valdis . Kletnieks (Mar 11)
- Re: MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities Vincent Danen (Mar 10)
- Browser security was Re: MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities Gary Flynn (Mar 10)
- Re: MDKSA-2004:021 - Updated mozilla packages fix multiple vulnerabilities Florian Weimer (Mar 10)