Hi there, 2010/2/24 John J Barton <[email protected]>: > > > On Feb 24, 10:40 am, Eric Dorman <[email protected]> wrote: >> Hey guys, Thanks for that great info on that stuff. >> >> Is their a way to take or use a Firebug Lite Extension to help protect >> users from Security issues in the browser? I don't if I am making >> myself clear on this,but I am just wondering if their could be some >> way to design an extension to help protect users from Security Hacks >> or attacks in the browser. > > I believe the answer is "no" because the browser already protects > users from attack.
JJB made some really good observations. I thought that you were talking about an extension that helps *developers* build more secure web applications, and not exactly an "extension to help protect users". Let's say you visit a malicious website and it infects your computer with some malware. There's no way to Firebug Lite prevent this from happening, once the infection is a result of a weakness in the browser. I'm not a security expert, so I may be not the right person to talk about this subject, but I do believe there are some rules / guidelines that *developers* could follow to make their web application more safe. I mentioned "window.eval()" because it was the first thing that came in my mind, but I do agree with what JJB said, that "window.eval()" itself isn't unsafe, but it could cause a security problem if you evaluate an external script from a non trusted party, or from a non secure protocol. One better example I could give is the use of HTTP protocol. HTTP is not a safe protocol, and it could allow the "Man-in-the-middle attack". So a better way to protect your web application is to use only safe protocols (like HTTPS) for all resources loaded in your app (scripts, stylesheets, images, etc). http://en.wikipedia.org/wiki/Man-in-the-middle_attack So, an extension could alert the developer with a message "you are using an unsafe protocol, use HTTPS instead". But even so, detecting some other security problems can be very hard. For example, how could the extension know that you're using an "window.eval()" to evaluate an external script? There's no way to know without analyzing the source code, and implement an automatic analysis for that would be very hard. regards, Pedro Simonetti. > > jjb > > >> >> I know this probably sounds like a anti virus type issue I am trying >> to solve,but it's more than that I am just wondering if their a is a >> way to help protect people from malious code in the browser. >> >> Thanks for the great information you gave me. >> >> Thanks & God Bless, >> Eric Dorman >> >> On Feb 24, 11:53 am, John J Barton <[email protected]> >> wrote: >> >> > On Feb 23, 10:26 pm, Pedro Simonetti Garcia <[email protected]> >> > wrote: >> >> > > Hi Eric, >> >> > > Taking YSlow as an example, I suppose it would be good as a starting >> > > point to define the "security rules" your extension will be looking for, >> > > like "don't use window.eval()" etc. >> >> > And this could be very difficult since someone like myself will object >> > that there is nothing about window.eval() that is the least bit >> > insecure! >> >> > window.eval() is exactly as secure as "<script>" tags or >> > "document.write()" or "new Function()". These all compile and run >> > Javascript code. Since the code that calls window.eval() is also >> > Javascript, window.eval() is not intrinsically insecure. >> >> > Web pages ('content documents" in Mozilla-speak) are secured by the >> > browser. Browsers are easily the most secure computing environment on >> > the Internet simply because so many developers work on it and so many >> > people test it. If an analysis tool can find any operations in a web >> > page that are insecure, then the browser is broken and will need to be >> > fixed. >> >> > Extensions are part of the browser so they can make operations that >> > break the browser security. One indirect way to break the browser >> > security is for otherwise secure code to issue window.eval() and pass >> > a string obtained over an insecure Internet connection. Since AJAX is >> > very easy to code, simple extensions can easily make this mistake. >> > But the lack of security comes from the insecure Internet connection, >> > not from eval(). >> >> > jjb > > -- > You received this message because you are subscribed to the Google Groups > "Firebug" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/firebug?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/firebug?hl=en.
