Sam Steingold wrote:
>
> > * Honorable Gervase Markham <[EMAIL PROTECTED]> writes:
> >
> > Past experience shows that a great deal of nasty web-related browser
> > exploits and so on rely on the attacker knowing the profile directory
> > on the local system of the user (as many users do not change from the
> > defaults.) [Salting] is merely a contained and sensible response to
> > severely limit that threat.
>
> "security by obscurity"?
> is this the _only_ way to fix this?!
No, this is "Belt and Suspenders", not "security by obscurity".
The security exploit is whatever the attacker used to get access to your
system in the first place. We obviously don't want those and have plugged
all the ones we know about. But given how many times we thought we fixed the
last one in Communicator (and Microsoft in IE) only to be proved wrong it
seems sensible not to make life easy for an attacker who might slip through
-- especially in a brand new system like Mozilla which hasn't yet been
subject to real-world hack attacks to the same extent as Communicator and
IE.
-Dan Veditz
