| |||||||||||||
Why is the server-side fix not sufficient?Why is the server-side fix not sufficient?Posted Nov 30, 2006 21:38 UTC (Thu) by gerv (subscriber, #3376)Parent article: The Firefox password manager vulnerability
"Several of the comments maintain that it is completely a server-side issue and that sites must take steps to insure that what they serve does not contain this kind of content. Unfortunately for Firefox users and developers, that simplistic approach will not suffice."
Why not? It suffices for JavaScript - that is, if a site includes user-supplied JavaScript in a page, Firefox currently doesn't promise to protect the user from anything it might do, and sites are quite happy to say "Yes, it's our responsibility to filter out script". And that is a good deal harder than filtering out <input type="password">... No-one would blame Firefox if MySpace allowed script and then malicious users started stealing login cookies.
People who place user-supplied content onto their website pages need to do filtering anyway - and, if they are smart, it'll be whitelist-based. We've just discovered one new thing they have to filter for.
(Log in to post comments)
Why is the server-side fix not sufficient? Posted Dec 1, 2006 8:22 UTC (Fri) by walles (guest, #954) [Link] Fixing one web browser is easier than fixing all web sites.
Why is the server-side fix not sufficient? Posted Dec 2, 2006 1:55 UTC (Sat) by gerv (subscriber, #3376) [Link] But it's not "all web sites". It's a small number of major sites (eBay, mySpace) which include "rich" user-generated content of this sort. Most smaller sites use a packaged CMS; these can be fixed if necessary.
Gerv
Why is the server-side fix not sufficient? Posted Dec 2, 2006 10:50 UTC (Sat) by walles (guest, #954) [Link] So how do you intend to get "most smaller sites" to update to CMS without this problem? And make sure nobody ever develops a new CMS with this problem?
I still think fixing one web browser sounds easier than fixing "a small number of major sites" and "most smaller sites".
Why is the server-side fix not sufficient? Posted Dec 3, 2006 2:01 UTC (Sun) by gerv (subscriber, #3376) [Link] "So how do you intend to get "most smaller sites" to update to CMS without this problem?"
In the same way they upgrade to get any other security fix?
"And make sure nobody ever develops a new CMS with this problem?"
How do you plan to make sure nobody ever develops a new web browser with this problem?
Gerv
Why is the server-side fix not sufficient? Posted Dec 5, 2006 10:56 UTC (Tue) by walles (guest, #954) [Link] The way "most smaller sites" apply security fixes is "not at all". Since it's my password that gets out that way, this isn't acceptable IMO.
I don't care if somebody develops a new web browser with this problem, since that wouldn't affect me.
As long as *I* keep using Firefox, I only care about getting Firefox fixed. If somebody else uses some other browser, it's up to them to worry about that browser's security issues.
Why is the server-side fix not sufficient? Posted Dec 7, 2006 0:40 UTC (Thu) by gerv (subscriber, #3376) [Link] > The way "most smaller sites" apply security fixes is "not at all".
Then they have bigger problems than input type="password". You worry about your password getting out; if they get hacked, every bit of information you've given them gets out, not just your password.
Either sort of fix would require security updates from someone. The server-side fix doesn't reduce the functionality of a useful browser feature; the client-side fix would.
Gerv
|
|||||||||||||