[LINK] Study shows pop-up warnings are ineffective

[Gordon Keith]

On Tue, 30 Sep 2008 12:20:08 pm Craig Sanders wrote:
> On Tue, Sep 30, 2008 at 11:23:38AM +1000, Gordon Keith wrote:
> > On Tue, 30 Sep 2008 10:54:45 am Karl Auer wrote:
> > > There's a difference between trusting the layer and trusting some
> > > series of executable statements arriving into that layer. Deciding
> > > whether some arbitrary chunk of code is OK to execute is a world more
> > > complex that just deciding what to do with an image or some text.
> >
> > But the difference is quantitative not qualitative.
> >
> > Do I trust my browser to correctly display an image without executing
> > arbitrary code? Malformed JPG exploits show that in some cases it is not
> > safe to do so.
>
> actually, the difference IS qualitative, not quantitative.
>
> a js-enabled browser executing js is functioning as designed.  the design
> may be flawed from a security perspective, but the browser IS doing what it
> is supposed to do.
>
> OTOH, vulnerability to bad data such as a malformed jpeg is a bug. it's
> not supposed to do that.
>
> one is intentional, the other is not. that's a HUGE qualitative difference.

When I wrote the above, I was thinking in terms of code running in a sandbox 
on a browser and thinking that code used to display things that doesn't 
escape the sandbox is not qualitatively different from displaying images.

I still think that's true.

But I now realise that javascript code doesn't just display things. It can 
collect and report back data to the server without user interaction. That is 
indeed a qualitative difference.

It's not just the sandbox I am trusting to protect my computer, I now have to 
trust an unknown server to protect my data. Very different things.

Regards
Gordon



-- 

Gordon Keith

"640K ought to be enough for anybody." Bill Gates, 1981