LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Why is the server-side fix not sufficient?

Why is the server-side fix not sufficient?

Posted Dec 2, 2006 1:55 UTC (Sat) by gerv (subscriber, #3376)
In reply to: Why is the server-side fix not sufficient? by walles
Parent article: The Firefox password manager vulnerability

But it's not "all web sites". It's a small number of major sites (eBay, mySpace) which include "rich" user-generated content of this sort. Most smaller sites use a packaged CMS; these can be fixed if necessary.

Gerv

(Log in to post comments)

Why is the server-side fix not sufficient?

Posted Dec 2, 2006 10:50 UTC (Sat) by walles (guest, #954) [Link]

So how do you intend to get "most smaller sites" to update to CMS without this problem? And make sure nobody ever develops a new CMS with this problem?

I still think fixing one web browser sounds easier than fixing "a small number of major sites" and "most smaller sites".

Why is the server-side fix not sufficient?

Posted Dec 3, 2006 2:01 UTC (Sun) by gerv (subscriber, #3376) [Link]

"So how do you intend to get "most smaller sites" to update to CMS without this problem?"

In the same way they upgrade to get any other security fix?

"And make sure nobody ever develops a new CMS with this problem?"

How do you plan to make sure nobody ever develops a new web browser with this problem?

Gerv

Why is the server-side fix not sufficient?

Posted Dec 5, 2006 10:56 UTC (Tue) by walles (guest, #954) [Link]

The way "most smaller sites" apply security fixes is "not at all". Since it's my password that gets out that way, this isn't acceptable IMO.

I don't care if somebody develops a new web browser with this problem, since that wouldn't affect me.

As long as *I* keep using Firefox, I only care about getting Firefox fixed. If somebody else uses some other browser, it's up to them to worry about that browser's security issues.

Why is the server-side fix not sufficient?

Posted Dec 7, 2006 0:40 UTC (Thu) by gerv (subscriber, #3376) [Link]

> The way "most smaller sites" apply security fixes is "not at all".

Then they have bigger problems than input type="password". You worry about your password getting out; if they get hacked, every bit of information you've given them gets out, not just your password.

Either sort of fix would require security updates from someone. The server-side fix doesn't reduce the functionality of a useful browser feature; the client-side fix would.

Gerv

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds