Bruce Perens: > >> They make it too easy for _anybody_ to eavesdrop, and to use the >> information >> they acquire whilst eavesdropping in really nefarious ways (e.g. the >> watering >> hole attack someone referred to recently). > So, build browsers that request https preferentially. Publish that as a > recommendation. But please don't lock everyone into your solution.
Wait, what? Please don't lock everyone into well understood vulnerabilities? Let us improve the protocols by opportunistically encrypting and when you think you have nothing to hide, you can opt-out, right? You have nothing to hide, right? Speaking of which, what is the content of your /etc/shadow Bruce? :) The attack surface of a browser is immense - the best way to protect against exploitation is to ensure that there is transport layer security. TLS (or something like it) helps us while we audit the image parsers, the javascript engines and it helps mitigate injection that would exploit vulnerable plugins; this is a very minimal amount of work to protect a lot of attack surface. At least then we're nearly back to watering hole attacks which requires, often, user interaction that is very detectable. I'd encourage you to read this: http://www.wired.com/opinion/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/ Professor Weaver's article is very close to accurate. By the end of the month, I believe there will be much more clarity on the topic. This is a serious problem and it is internet wide. Sincerely, Jacob _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
