[LINK] Study shows pop-up warnings are ineffective

Craig Sanders cas at taz.net.au
Tue Sep 30 12:20:08 AEST 2008


On Tue, Sep 30, 2008 at 11:23:38AM +1000, Gordon Keith wrote:
> On Tue, 30 Sep 2008 10:54:45 am Karl Auer wrote:
> > There's a difference between trusting the layer and trusting some series
> > of executable statements arriving into that layer. Deciding whether some
> > arbitrary chunk of code is OK to execute is a world more complex that
> > just deciding what to do with an image or some text.
> 
> But the difference is quantitative not qualitative.
> 
> Do I trust my browser to correctly display an image without executing 
> arbitrary code? Malformed JPG exploits show that in some cases it is not safe 
> to do so.

actually, the difference IS qualitative, not quantitative.

a js-enabled browser executing js is functioning as designed.  the design
may be flawed from a security perspective, but the browser IS doing what it
is supposed to do.

OTOH, vulnerability to bad data such as a malformed jpeg is a bug. it's
not supposed to do that.

one is intentional, the other is not. that's a HUGE qualitative difference.

craig

-- 
craig sanders <cas at taz.net.au>



More information about the Link mailing list