[LINK] Study shows pop-up warnings are ineffective
Craig Sanders
cas at taz.net.au
Tue Sep 30 12:20:08 AEST 2008
On Tue, Sep 30, 2008 at 11:23:38AM +1000, Gordon Keith wrote:
> On Tue, 30 Sep 2008 10:54:45 am Karl Auer wrote:
> > There's a difference between trusting the layer and trusting some series
> > of executable statements arriving into that layer. Deciding whether some
> > arbitrary chunk of code is OK to execute is a world more complex that
> > just deciding what to do with an image or some text.
>
> But the difference is quantitative not qualitative.
>
> Do I trust my browser to correctly display an image without executing
> arbitrary code? Malformed JPG exploits show that in some cases it is not safe
> to do so.
actually, the difference IS qualitative, not quantitative.
a js-enabled browser executing js is functioning as designed. the design
may be flawed from a security perspective, but the browser IS doing what it
is supposed to do.
OTOH, vulnerability to bad data such as a malformed jpeg is a bug. it's
not supposed to do that.
one is intentional, the other is not. that's a HUGE qualitative difference.
craig
--
craig sanders <cas at taz.net.au>
More information about the Link
mailing list