Straight Talk wrote:
> Please name one that will infect a patched web browser of reasonable
> quality just like that.
Browsers don't get patched until after the exploit has infected
thousands of users PC's. That's how it works, or haven't you noticed?
http://www.swatit.org/bots/
The measures that Sebastian proposes to secure a home computer are just
unrealistic and he is out to lunch. Maybe you too.
Troglodyte wrote:
> Sebastian G. wrote:
>
>> As you say: it's a band-aid. Nothing more. Security starts with
>> addressing the causing, not cascading the symptoms. Especially since the
>> main problem, lacking user education, is even further amplified.
>
> Well, seeing as you are certain you know how to make a system secure
> without having to use anti virus scanners, spyware scanners, hosts file,
> script blockers, ad blockers etc. why don't you put up a website with
> instructions on how to do it and provide a real service to the community?
Because, with respect to the demands of a normal home user, Windows is
secure out of the box? And since anti virus scanners, spyware scanners,
hosts file, script blockers, ad blockers etc. can't make a system secure,
there's nothing to discuss at all.
Troglodyte wrote:
> Name one web browser that uses scripts that is not vulnerable.
Mozilla/Firefox, Opera, Konqueror, w3m, ...
> The only one I know is firefox with the noscript add-on. That allows me
to > only allow websites that I trust to run scripts.
Well, if you want that, you wouldn't need NoScript either, since Firefox
already has this capability (just doesn't expose it in the GUI). At any
rate, the real benefit of NoScript is to potentially limit XSS when actually
globally allowing scripts.
> But then I've seen you in here saying firefox is crap too so what browser
> do you use that is not vulnerable?
Mozilla Seamonkey
Troglodyte wrote:
> Sebastian G. wrote:
>
>> Or correct. Just take a look at the major players Mozilla Firefox,
>> Mozilla Seamonkey, Opera, Konqueror and w3m. Agreed, Mozilla Firefox is
>> a bit obscure, but neithertheless still secure by default.
>
> No it isn't. Firefox allows scripts to run by default.
So you're equating scripts with vulnerabilities? What a nonsense.
> Any browser that allows scripts is not secure against malicious scripts.
Bull****. Without a vulnerability in the script engine itself JavaScript is
perfectly secure. And such vulnerabilities are so rare, and even further
some serious vendors liek Mozilla and the KDE Team have an excellent
vulnerability patching policy.
> Only by using noscript add-on does it become secure.
It might be a really good thing if you inform yourself a bit about
ECMAScript/JavaScript.
Troglodyte wrote:
> Sebastian G. wrote:
>
>> Depends on which systems. Those with higher security margins have a
>> global no-exec policy implemented, thus they simply can't anything but
>> the preinstalled software, and as long as this is up-to-date an
>> in-memory process compromise of the network is extremely unlikely.
>
> And this is what you propose the average user does?
Nothing? So far a recent Windows installation is secure out-of-the-box.
As an additional recommendation, a global no-exec policy is actually very
feasible, since the demands of users typically only change rarely.
Troglodyte wrote:
> Straight Talk wrote:
>
>> Please name one that will infect a patched web browser of reasonable
>> quality just like that.
>
> Browsers don't get patched until after the exploit has infected
> thousands of users PC's.
Wrong. Browsers typically get patched before a full description of the
vulnerability is released. Even for the extremely rare cases where that
didn't hold typically a workaround existed, and even further a simple
proactive configuration could have already addressed the problem.
> http://www.swatit.org/bots/
| or adverts for web sites with infectious downloads or even infectious HTML
| using the Active-X exploit for Microsoft Internet Explorer
That's MSIE, not a webbrowser. Of course when you're abusing MSIE as such,
compromise is inherent - as documented and expected.
Sebastian G. wrote:
> kurt wismer wrote:
>
>>> And surely it doesn't even get SGML comment pasing right,
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> how should it ever get HTML right?
>
>>
>> you make an excellent argument for why it's a *bad* browser, but not
>> for why it isn't a browser at all...
>
>
> First off, we're talking about *web*browsers.
never said otherwise...
> I think it is a very strong argument against being a webbrowser. A
> broken SGML parser/lexer, as the absolutely simplest part of rendering a
> website, doesn't allow for getting it right at the higher layers. Thus
> it's fundamentally unsuitable.
just because it's unsuitable as a web browser doesn't mean it isn't
one... just because it's implementation of this or that is broken
doesn't mean it isn't a web browser...
it was designed to allow people to browse the web, it was marketed as a
tool to allow people to browse the web, and it actually *does* allow
people to browse the web... whether it does a good job or is well
implemented doesn't change the fact that it's a web browser, it only
affects it's *quality* as a web browser...
>> in the world most people operate in IE is a browser...
>
>
> Yes, a file browser. Not a webbrowser.
sorry, no... ie was born out of the mosaic web browser technology
microsoft purchased/licensed in order to compete with netscape - it is
most definitely a *web* browser...
windows explorer is a file browser, and while ie can *also* browse a
file system, that doesn't change the fact that it is a web browser...
>> i can appreciate trying to redefine things
>
>
> No, that's what you're trying to do. You're claiming that because a lot
> of people abuse the non-webbrowser IE as a webbrowser, it would actually
> become one. That's silly.
now you're putting words in my mouth - i never said the fact that people
use it as a web browser was the reason it was a web browser... what i
have implied, however, is that given the vast majority recognizes it as
a web browser, your *reality* represents a redefinition of things...
--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
Sebastian G. wrote:
> Wrong. Browsers typically get patched before a full description of the
> vulnerability is released.
BS
Sebastian G. wrote:
> It might be a really good thing if you inform yourself a bit about
> ECMAScript/JavaScript.
Might be a really good thing if you educate yourself on why scripts can
be a very bad thing. Lots of malicious websites out there, boyo.
http://noscript.net/
Sebastian G. wrote:
> Well, if you want that, you wouldn't need NoScript either, since Firefox
> already has this capability (just doesn't expose it in the GUI).
IE can do that too but that's not the same as an add-on that allows one
to allow scripts to run at urls they trust and not any others. Allowing
scipts globally is just asking for trouble.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote