Carroll Kong wrote:
warpmedia wrote:
All browsers need to add a security zone model so one can browse in dumb mode until a feature is needed, & then make damn sure it works as advertised (M$ has come a long way with the XP SP2 version). Sun Java certainly has problems.
Agreed. It is unfortunate though that MS has a "local zone" which some software and help files rely on greatly. I wish they would separate it out since it allows for the nasty "read this local URL" attack. That was one of the first attacks that allowed you to bypass the basic security zone controls!
Under XP I read that this functionality is debilitated to the degree that developers are complaining M$ did too much!
<snip>
I do not trust Microsoft IE either. There is a reason why I run as a normal user. For example, the local zone bypass attack would have hit me if i blindly trusted that layer of security.
Try making custom (additional) zones work under XP SP2, they don't due to new layers of functionality called "zone lockdowns" and new methods of zone elevation prevention. Flawless no, but a hell of a step in the right direction. I'm still trying to sort out the new info to understand how it all works.
<snip>
So if Mozzy learns & adds proper per site lockdowns, it's a step in the right direction. As of now they're doing an M$ head-in-the-sand about the real problem. Hence the bad venom coming out of my mouth about them.
Agreed. Once Mozilla and Firefox put up granular controls for javascript+java and per session, then in my eyes they are a much closer match against IE. The only drawback being ActiveX, but that is pretty minor.
And something that can be disabled to a large extent without causing issues.
<snip>
I wonder what their take is on granular security controls. I figured why bother taking nasty counter-criticism, so I did not bother posting a feature request for that one. I could already anticipate the "we do not support Active X so we are 100% secure" kind of responses.
It's that kind of response Ben posted that made me laugh. ActiveX is a problem, but obviously not the only problem nor even the biggest.
