[LINK] Study shows pop-up warnings are ineffective

Gordon Keith gordonkeith at acslink.net.au
Wed Oct 1 09:39:20 EST 2008

On Tue, 30 Sep 2008 12:20:08 pm Craig Sanders wrote:
> On Tue, Sep 30, 2008 at 11:23:38AM +1000, Gordon Keith wrote:
> > On Tue, 30 Sep 2008 10:54:45 am Karl Auer wrote:
> > > There's a difference between trusting the layer and trusting some
> > > series of executable statements arriving into that layer. Deciding
> > > whether some arbitrary chunk of code is OK to execute is a world more
> > > complex that just deciding what to do with an image or some text.
> >
> > But the difference is quantitative not qualitative.
> >
> > Do I trust my browser to correctly display an image without executing
> > arbitrary code? Malformed JPG exploits show that in some cases it is not
> > safe to do so.
> actually, the difference IS qualitative, not quantitative.
> a js-enabled browser executing js is functioning as designed.  the design
> may be flawed from a security perspective, but the browser IS doing what it
> is supposed to do.
> OTOH, vulnerability to bad data such as a malformed jpeg is a bug. it's
> not supposed to do that.
> one is intentional, the other is not. that's a HUGE qualitative difference.

When I wrote the above, I was thinking in terms of code running in a sandbox 
on a browser and thinking that code used to display things that doesn't 
escape the sandbox is not qualitatively different from displaying images.

I still think that's true.

But I now realise that javascript code doesn't just display things. It can 
collect and report back data to the server without user interaction. That is 
indeed a qualitative difference.

It's not just the sandbox I am trusting to protect my computer, I now have to 
trust an unknown server to protect my data. Very different things.



Gordon Keith

"640K ought to be enough for anybody." Bill Gates, 1981

More information about the Link mailing list