[LINK] Study shows pop-up warnings are ineffective
Gordon Keith
gordonkeith at acslink.net.au
Tue Sep 30 11:23:38 AEST 2008
On Tue, 30 Sep 2008 10:54:45 am Karl Auer wrote:
> > Every single trust mechanism we try to build must sit on top of some
> > trusted layer below
>
> There's a difference between trusting the layer and trusting some series
> of executable statements arriving into that layer. Deciding whether some
> arbitrary chunk of code is OK to execute is a world more complex that
> just deciding what to do with an image or some text.
But the difference is quantitative not qualitative.
Do I trust my browser to correctly display an image without executing
arbitrary code? Malformed JPG exploits show that in some cases it is not safe
to do so.
Do I trust my browser to correctly confine a malicious java script program?
There are plenty of exploits that show it is not always safe to do so, but
are there browsers which are now safe?
Yes it is much more complex to decide if an arbitrary chunk of code is safe to
run that it is to decide an arbitrary image is safe to display, but mistakes
have been made in both cases and browser security is getting better.
Whether it is yet good enough for the browsing full time with javascript
enabled is up to user to determine how much they trust their browser and how
much they are willing to lose. Is the average user in a position to make an
informed decision? I doubt it.
Personally, my default browser setting is javascript script off and
autoloading images disabled. But I don't claim to be sufficiently well
informed to make a definite decision, I spend a bit of time on the web, so
I'm cautious.
Regards
Gordon
--
Gordon Keith
God showed his love for us by sending his only Son into the world,
so that we might have life through him.
-- 1 John 4:9
More information about the Link
mailing list