[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Ultimate solution



  In my experience many users will, and do, go out of their way to
circumvent their own protection unless very aware of the consequences,
and sometimes even then. If they really want to see that funny flash
animation on a certain site, they will find a way to do it and then
often forget to undo the changes they made there by leaving they selves
vulnerable.

There are some aspects of Flash, Javascript, etc, that are safe, and do not reveal any information. There are other aspects that are unsafe.

This gets back to the whole issue I raised earlier, in another thread.
Why try to sell people on "OK, but you need to use a completely
stripped down browser that can't display most modern sites at all
because all scripting systems are disabled"? Why not use a "security
manager" model, where the browser commands are verified by a separate
security manager, configured by the user? Then Tor can just distribute
a security manager file.

This would require some sort of system for "I'm the browser, this is
the file I just downloaded, tell me what I can safely execute". "I'm
the javascript parser, this is what I've just parsed and written via
document.write but not yet executed. Tell me what I can safely
execute". "I'm the browser, this is the full document after fetching
all the embedded references. I know I've asked you on each of those
parts separately, now here's the whole shebang. Tell me what I can
safely execute." Etc.

The whole "Because some aspect of Flash can kill you, all of flash
must be junked" approach won't work. That's like saying, "Because Java
could contain an unsafe program, no Java can be used". Sun designed a
security manager system into Java specifically to deal with that
concern. If the default security manager isn't good enough -- if the
default SM permits unproxied connections, for example -- then we need
a new SM that does not permit unproxied connections, or forces them to
become proxied without the code realizing it.

Java does permit changing the SM, doesn't it?

Why not implement one for the rest of the browsing experience?