Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

["Ivan Ristic" <ivan.ristic@xxxxxxxxx>]

On 6/25/06, Brian Eaton <eaton.lists@xxxxxxxxx> wrote:
> ... I submit for the consideration of the
> court a system for browsers and servers to cooperate to mitigate the
> risk of CSRF and reflected XSS.

I think you are on the right track. For some time now I have been
arguing for gradually moving to a more secure web application
deployment environment. My ideas revolve around nine points,
documented in the Secure Browsing Mode proposal:

http://www.modsecurity.org/blog/archives/Secure_Browsing_Mode_Proposal.pdf
(which I have just posted online together with an blog entry:
http://www.modsecurity.org/blog/archives/2006/06/secure_browsing.html)

> From the document:

It is widely accepted today that web applications are inherently
insecure. A lot of energy was invested in the past years into making
web applications more secure, but there is only so much we can do with
the fundamentally insecure foundation. This brief document proposes a
set of possible browser improvements that would allow us to establish,
gradually, a secure environment for web applications.

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]