[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Fundamental error in Corsaire's paper?

From: "Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
Date: Fri, 28 Apr 2006 17:50:35 +0100

> Uh, perhaps I'm not educated in the matter, but how does 
> a site turn off Javascript support in the browser? 

Sorry, poor terminology on my part; a physical site/client.

> Hmmmm... - not too common, so it seems.

Well, MS often tend to be the spanner in the ointment when it comes to
standards compliance, but even if you accept all of those MS vagaries,
this is still counter evidence to the blanket "There is no such thing as
path security" statement.  Granted, the practical worth of it today
(with the browser issues in evidence) is limited. ;)

> Oh, I disagree here. In my opinion, these are NOT browser issues 

Life is rarely so simple in the world of RFCs.  One of the reasons the
initial advisory took months to be released is that it wasn't possible
to get a consensus on the root of the problem, and whether it should be
addressed at the browser, at the server, or a combination of both.
There was input from Microsoft, Apache, Mozilla, Apple, Galleon, KDE and
Opera, but no consensus.  In the end I recall the debate drying up, and
the vendors who attempted to resolve the issue went for a URI
canonicalisation approach at the browser, prior to path comparison.

> As for SSL, I strongly disagree. 

Me too! :p

SSL is used as a blanket term for multiple protocols, some of which are
flawed.  Some cipher suites offer little or no protection at all, and
most out-of-the-box SSL implementations are weak.  And the crux is that
the security of SSL depends entirely on the integrity of the local
certificate management process, which generally is non-existent.  I
could go on, but suffice to say that a poor SSL implementation offers at
best a false sense of security.

Want to hazard a guess at what I have been playing with in my research
time for the last few months?  :)

Martin...

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Prev by Date: Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
Next by Date: RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
Previous by thread: Re: [WEB SECURITY] Fundamental error in Corsaire's paper?
Next by thread: RE: [WEB SECURITY] Fundamental error in Corsaire's paper?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site