[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re[2]: Ultimate solution


Well that sounds good in theory, and admittedly I don't know enough
about scripting languages to say it can't be done. But it does occur
to me that the SM would have to be very intelligent to know that the
harmless X, Y, and Z parts of the script form a dangerous whole. I
think that starts entering into heuristics. Surely someone here knows
way more about this and will comment. I would love to see such a tool.


>>   In my experience many users will, and do, go out of their way to
>> circumvent their own protection unless very aware of the consequences,
>> and sometimes even then. If they really want to see that funny flash
>> animation on a certain site, they will find a way to do it and then
>> often forget to undo the changes they made there by leaving they selves
>> vulnerable.

> There are some aspects of Flash, Javascript, etc, that are safe, and
> do not reveal any information. There are other aspects that are
> unsafe.

> This gets back to the whole issue I raised earlier, in another thread.
> Why try to sell people on "OK, but you need to use a completely
> stripped down browser that can't display most modern sites at all
> because all scripting systems are disabled"? Why not use a "security
> manager" model, where the browser commands are verified by a separate
> security manager, configured by the user? Then Tor can just distribute
> a security manager file.

> This would require some sort of system for "I'm the browser, this is
> the file I just downloaded, tell me what I can safely execute". "I'm
> the javascript parser, this is what I've just parsed and written via
> document.write but not yet executed. Tell me what I can safely
> execute". "I'm the browser, this is the full document after fetching
> all the embedded references. I know I've asked you on each of those
> parts separately, now here's the whole shebang. Tell me what I can
> safely execute." Etc.

> The whole "Because some aspect of Flash can kill you, all of flash
> must be junked" approach won't work. That's like saying, "Because Java
> could contain an unsafe program, no Java can be used". Sun designed a
> security manager system into Java specifically to deal with that
> concern. If the default security manager isn't good enough -- if the
> default SM permits unproxied connections, for example -- then we need
> a new SM that does not permit unproxied connections, or forces them to
> become proxied without the code realizing it.

> Java does permit changing the SM, doesn't it?

> Why not implement one for the rest of the browsing experience?