Full Disclosure mailing list archives
Re: Google open redirect
From: Dave <mrx () propergander org uk>
Date: Fri, 09 Dec 2011 21:40:38 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/12/2011 20:31, Marsh Ray wrote:
On 12/08/2011 12:37 AM, Michal Zalewski wrote:For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web application can do to save you: you are just at a significant risk wherever you go. If you take away open redirectors, a myriad of other, comparable ways to fool you remain, and can't be fixed easily.I think reasoning based on this is subtly fallacious and it often contributes to disagreements between researchers and large vendors. This is how we got into the state of the web today: bad faith on the part of browser vendors. They may be in the minority, but there *are* users out there who know how to look at the address bar. The security researcher knows this because he is one of them. I call this group the "competent and contentious users". Large vendors are constantly holding bad faith against their userbase. This may be borne out by large user studies, but I've lost count of the number of times I've heard actual security improvements shot down because "typical users" are presumed to be so incompetent and careless that they will fail to derive a significant benefit from it. I maintain that design decisions affecting security must be driven by the needs of the competent and contentious user because if he cannot achieve effective security in using of the system, then what chance has the "typical user"?! Avoiding security improvements because the are perceived as being of little benefit to type typical user is wrong. Doing so gains nothing for the typical users, it decreases the security available to competent and contientious users, and worst of all it actively removes any incentives for the "typical user" to begin to take responsibility for their own security. I think when the "typical user" gets pwned with phishing or malware he thinks a combination of "stupid Microsoft", "the Internet is out to get me", and "what did I do wrong?". The vendor implicitly answers: "you did nothing wrong because this is all too complicated for you to understand, you should install this additional product to give you better security". Perhaps this made sense back when the Internet was a toy and the biggest security risk was a limited-liability credit card number, but today we have whole populations in places like Iran wondering if their ass is going to get tortured over something they said on social media. I think a lot of typical users today are probably wanting to move into that other category and we should support them in that. - Marsh
Whilst I agree with what you have said the majority of computer users today are just consumers. They expect their nice new shiny Win 7 laptop to behave just like their washing machine. Push a button and it does what is expected, they don't expect to have to understand how it works nor do they expect it to do "bad things" when they are not looking. Occasionally a scam may make head line news, but the attention span and memory of the average consumer is measured in days or weeks not a lifetime. The marketing blurb from software providers be that OS or application does nothing to dispel this expectancy. In fact the marketing blurb does it's best to hide any possibility of detriment from using the product from the user. The user does blame MS or the Internet and very rarely their own incompetence in using the computing device. Why? because all the marketing blurb for such devices avoids any indication that using said device may result in the compromise of identity or bank account. Where does the advertising for computing devices state that the system is flawed? Nowhere. The consumer is given this image of a wonderful device doing wonderful things. A device that would never bend them over when they least expect it. The solution is either make the Internet and computers totally secure, or educate the user that the system, be that OS, application or Internet is broken and they need to be on their guard against what may happen for every click they make. I like to think I am somewhat competent. The last virus I had, the last compromise I faced was the Saddam virus on my Amiga. My confidence doesn't make feel I that I will never be owned or compromised. There are far smarter people out there than I. The average consumer does not think this way, they are drunk on the kool aid. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTuKAVrIvn8UFHWSmAQJ/lwf+K8bxBc8lUzwkQ7gA82eqfhU6pBPAJhcg CpHk1jYaeIlnGrWxWwpwxdoxCnvmiDDnqrRgsJrA/JQyLBJGDF082St85CVn6Up4 zKufd8fyxk9jtJTOL47z7XWbaIuGJb748zhdVTLbBBDmrY5eP8HueVhnT9puGUl4 /oRiTQU5bEqd9tZkbYE0idipuxUSlZRa6+YV4ljtMXRvioBEvxL1Di0PJN+nq6wi GGxjreCIfF9uZFJXf4DGZ7F3qG7vHOTWFw341e2VTdTlMsyxsE58xjwd6K4qJFUF 7tbLegKwP6ewW1xc+7PucZYYI5ZyMiF0FtRxmdoJaZ4qxeX28kbl8g== =yvm2 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google open redirect, (continued)
- Re: Google open redirect Luis Santana (Dec 07)
- Re: Google open redirect Michal Zalewski (Dec 07)
- Re: Google open redirect Michal Zalewski (Dec 08)
- Re: Google open redirect Dave (Dec 08)
- Re: Google open redirect Michal Zalewski (Dec 08)
- Re: Google open redirect Marsh Ray (Dec 09)
- Re: Google open redirect Michal Zalewski (Dec 09)
- Re: Google open redirect Charles Morris (Dec 12)
- Re: Google open redirect Valdis . Kletnieks (Dec 09)
- Re: Google open redirect Marsh Ray (Dec 11)
- Re: Google open redirect Dave (Dec 09)
- Re: Google open redirect Tavis Ormandy (Dec 10)
- Re: Google open redirect Marsh Ray (Dec 13)
- Re: Google open redirect Tavis Ormandy (Dec 13)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Benji (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Benji (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Pablo Ximenes (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)