On Sat, 27 Sep 2008, Jim Jewett wrote:
Yet opt-in proposals expect content authors to immediately add security
checks everywhere, which is considerably less realistic than having a
handful of webpages adjust their behavior, if we indeed break it (which I
don't think would be likely with the design). It feels better, but I am
inclined to think it is considerably less beneficial.
Why? Most sites won't add the checks because they don't need them.
Static pages do not (but would likely see no ill effects, too). Almost all
web applications, where the user has a distinct authenticated context, do.
Given that something like 90%+ of the list of top 100, 500, or whatever
websites visited by typical users belongs to the latter category (well,
looking at public stats at least), easily extrapolated to tens of millions
of other less successful but still used resources (web forums, shops,
chats, customer portals, etc), that all these are almost always
significantly more complex that any static content (thousands of pages and
hundreds of distinct features are not uncommon) - I indeed see a problem
that is best addressed in an on-by-default mode.
If you have faith that all these places can be patched up because we tell
them so, and that these who want to would be able to do so consistently
and reliably - look at the current history of XSRF and XSS
vulnerabilities.
/mz
