[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Server Obligation for Client Vulnerabilities (was: Universal XSS with PDF files: highly dangerous)

From: "Neil Smithline" <webappsecurity.org@xxxxxxxxxxxxx>
Subject: [WEB SECURITY] Server Obligation for Client Vulnerabilities (was: Universal XSS with PDF files: highly dangerous)
Date: Sat, 6 Jan 2007 00:00:32 -0500

------=_Part_25152_15367828.1168059632530
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On 1/4/07, James Landis <jcl24@cornell.edu> wrote:
>
> Again I would raise the question of whether remediation of this issue is
> the Web developer's responsibility. Clearly the problem is with the
> installed client software and just because it is possible to create a
> solution on the server side which defeats the attacks, that shouldn't mean
> it is necessary. Developers have enough work to do just to secure their own
> code, let alone cleaning up after others' mistakes.

James - This question really strikes me hard. My take is that while not
every application installation needs to be responsible for vulnerabilities
in the client, many (if not most) do. Imagine if your bank stopped worrying
about client security and you got bit by one of these vulnerabilities. I
admit that probably isn't too likely as you are so well informed, but how
about the other 99.9999% of the people on the internet? What is to protect
them? Are you expecting that each and every internet user keeps up with
every client-side vulnerability and fix that is required for it? To me,
users should expected to be, at best, mildly sophisticated.

And, going bank to the bank example, who will pay the price if the user's
client isn't secure and a client-side vulnerability is successfully
exploited? Almost certainly the bank will pick up the direct costs by
covering all monetary losses (the PR fiasco of not doing  so would be too
destructive). The bank will also have to deal with the larger problem should
the exploit hit the press. They just love to play this stuff up.

I think that any responsible organization must worry about the secureness of
their users' computers. In my mind, it is the same issue as phishing in that
an ignorant user unknowingly turns over their account. All major sites worry
about phishing and are frantically trying to come up with good technical
solutions as well as user educational programs to deal with it.

Well enough ranting (for the moment) - at least on my part.

- Neil

------=_Part_25152_15367828.1168059632530
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On 1/4/07, <b class="gmail_sendername">James Landis</b> &lt;<a href="mailto:jcl24@cornell.edu"; target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">jcl24@cornell.edu</a>&gt; wrote:<div><span class="gmail_quote">
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Again I would raise the question of whether remediation of this issue is the Web developer&#39;s responsibility. Clearly the problem is with the installed client software and just because it is possible to create a solution on the server side which defeats the attacks, that shouldn&#39;t mean it is necessary. Developers have enough work to do just to secure their own code, let alone cleaning up after others&#39; mistakes.
</blockquote></div><br><br>James - This question really strikes me hard. My take is that while not every application installation needs to be responsible for vulnerabilities in the client, many (if not most) do. Imagine if your bank stopped worrying about client security and you got bit by one of these vulnerabilities. I admit that probably isn&#39;t too likely as you are so well informed, but how about the other 
99.9999% of the people on the internet? What is to protect them? Are you expecting that each and every internet user keeps up with every client-side vulnerability and fix that is required for it? To me, users should expected to be, at best, mildly sophisticated. 
<br><br>And, going bank to the bank example, who will pay the price if the user&#39;s client isn&#39;t secure and a client-side vulnerability is successfully exploited? Almost certainly the bank will pick up the direct costs by covering all monetary losses (the PR fiasco of not doing&nbsp; so would be too destructive). The bank will also have to deal with the larger problem should the exploit hit the press. They just love to play this stuff up.  
<br><br>I think that any responsible organization must worry about the secureness of their users&#39; computers. In my mind, it is the same issue as phishing in that an ignorant user unknowingly turns over their account. All major sites worry about phishing and are frantically trying to come up with good technical solutions as well as user educational programs to deal with it.
<br><br>Well enough ranting (for the moment) - at least on my part.<br><br>- Neil<br>

------=_Part_25152_15367828.1168059632530--

Follow-Ups:
- [WEB SECURITY] Re: Server Obligation for Client Vulnerabilities (was: Universal XSS with PDF files: highly dangerous)
  - From: James Landis

Prev by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: [WEB SECURITY] Fwd: Re: [Full-disclosure] Universal XSS with PDF files: highly dangerous
Next by thread: [WEB SECURITY] Re: Server Obligation for Client Vulnerabilities (was: Universal XSS with PDF files: highly dangerous)
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site