What we -should- do is focus on things that we can actually benefit from. Instead of mass-murder, why not fix the internet by fixing javascript (ie. dis, fucking, allow, whitelist basis only), fixing flash (bye), fixing CSS (stop reading my history and stop scanning my ports!) and fixing HTML so we don't need to rely on stupid things (flash, silverlight, the thing Google made) to make browsing an enjoyable experience.
I can deliver you a browser that is virtually unexploitable. Firefox running with NoScript,
How do you expect to "fix" HTML to provide advanced features after we've gotten rid of javascript, Flash, and Silverlight? And what does CSS have to do with reading your history and scanning your ports?
I suggest that if you want to be up to date with the web app security world, you should keep reading blogs of security researchers, and perhaps security research-related fora (like sla.ckers.org).
As for your first question, I suggest you read the HTML 6 specs that have been presented. Also, remember that a browser is just a tool that parses text into pretty "websites". We simply don't need Flash and Silverlight if we have better options for, say, video client-side.
And, in it's current form, Javascript, should be switched off everywhere too. We _cannot have_ exploitable vulnerabilities in W3C recommended document formats like CSS, and widespread used technologies like Javascript.
Well, I just visited both of your links, and am unimpressed and unscared.
The CSS history one gave a very short list of what looked like guessed web sites which were mostly wrong (hint: I never visit msn or ebay or myspace, and it's months since I visited yahoo). It looked like blind guesswork, as the list had google, but not slashdot, for instance. Clicking through to see what information they claim to have logged, I encountered an empty list, not even the bogus guesses of wrong web sites that were on th
That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item. The exploit can only check a specific list of items. The problem is a UI/implementation one, not a problem with the concept.
That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item.
Perhaps you should check your code again.
It showed the red "visited" text in a box beside all of the incorrect IP addresses and the 127.0.0.1:8080 combination. I reiterate that my LAN is not on 192.168.0.* or 192.168.1.* but the page claims that I visited addresses 192.168.0.1 192.168.0.2 192.168.1.1 and 192.168.1.2 which is clearly impossible. In fact, it does that even when I use a PC which is directly connected to a public IP, and not on our home LAN.
FYI we have 8 fiber ports at home, each with a publ
It isn't my code. When I visited it, it correctly showed that I hadn't visited any of those IP addresses. The other page correctly identified which sites I had visited, even after clearing my history and after re-visiting them.
1 out of 5 websites were right, and honestly John Edward would have gotten at least 2 right, that includes the google that the site actually got right.
Their idea of an offer you can't refuse is an offer... and you'd better
not refuse.
Should Be Shot (Score:3, Insightful)
Malware and Virus authors should be lined up against a wall and shot. They are cancers and need to be irradiated.
Re: (Score:2)
I mean eradicated...although irradiated would probably work well too.
Re: (Score:3, Insightful)
What we -should- do is focus on things that we can actually benefit from. Instead of mass-murder, why not fix the internet by fixing javascript (ie. dis, fucking, allow, whitelist basis only), fixing flash (bye), fixing CSS (stop reading my history and stop scanning my ports!) and fixing HTML so we don't need to rely on stupid things (flash, silverlight, the thing Google made) to make browsing an enjoyable experience.
I can deliver you a browser that is virtually unexploitable. Firefox running with NoScript,
Re: (Score:1)
Re:Should Be Shot (Score:1)
Everything. I'll just throw a couple of links at you and then you can go be scared.
http://ha.ckers.org/weird/javascriptless-port-scanning.cgi [ckers.org], http://ha.ckers.org/weird/CSS-history.cgi [ckers.org].
I suggest that if you want to be up to date with the web app security world, you should keep reading blogs of security researchers, and perhaps security research-related fora (like sla.ckers.org).
As for your first question, I suggest you read the HTML 6 specs that have been presented. Also, remember that a browser is just a tool that parses text into pretty "websites". We simply don't need Flash and Silverlight if we have better options for, say, video client-side.
And, in it's current form, Javascript, should be switched off everywhere too. We _cannot have_ exploitable vulnerabilities in W3C recommended document formats like CSS, and widespread used technologies like Javascript.
Re: (Score:3, Informative)
I'll just throw a couple of links at you and then you can go be scared.
http://ha.ckers.org/weird/javascriptless-port-scanning.cgi [ckers.org], http://ha.ckers.org/weird/CSS-history.cgi [ckers.org].
Well, I just visited both of your links, and am unimpressed and unscared.
The CSS history one gave a very short list of what looked like guessed web sites which were mostly wrong (hint: I never visit msn or ebay or myspace, and it's months since I visited yahoo). It looked like blind guesswork, as the list had google, but not slashdot, for instance. Clicking through to see what information they claim to have logged, I encountered an empty list, not even the bogus guesses of wrong web sites that were on th
Re: (Score:2)
Re: (Score:3, Informative)
That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item. The exploit can only check a specific list of items. The problem is a UI/implementation one, not a problem with the concept.
Re: (Score:2)
That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item.
Perhaps you should check your code again.
It showed the red "visited" text in a box beside all of the incorrect IP addresses and the 127.0.0.1:8080 combination. I reiterate that my LAN is not on 192.168.0.* or 192.168.1.* but the page claims that I visited addresses 192.168.0.1 192.168.0.2 192.168.1.1 and 192.168.1.2 which is clearly impossible. In fact, it does that even when I use a PC which is directly connected to a public IP, and not on our home LAN.
FYI we have 8 fiber ports at home, each with a publ
Re: (Score:2)
It isn't my code.
When I visited it, it correctly showed that I hadn't visited any of those IP addresses. The other page correctly identified which sites I had visited, even after clearing my history and after re-visiting them.
Re: (Score:2)
Neither of those links provided any kind of accurate information. Very non-scary, I have to say.
Re: (Score:2)