Subscribe
RSS news feed
Add to Technorati FavoritesRecent Posts
- Goodbye Flash, Silverlight, AIR and other plug-ins
- The hyper corrective browser
- Backpacking. Redefined.
- Rent-a-ranter
- Welcome to Web2.0 – with the same old same old Security (Continued)
- Welcome to Web2.0 – with the same old same old Security
- Banking. Redefined.
- Acid3 and 4, why even bother?
- Nominated!
- The Internet Service Bus
Navigate
Search the blog
Infrastructure Services / Security
The hyper corrective browser
I just had a discussion via Twitter about the desired behavior of browsers during an endless javascript loop (e.g. while(true){alert("test");}). One of my friends suggested that browsers should correct this kind of code. Browsers should do this in order to prevent endless loops that crash you browser or your operating system.
This really sounds horrible to me. Whenever I write code I would like to see it executed the way I wrote it, not the way I could have probably thought about it that it should work. If I write lousy code, let the browser crash, let my operating system crash and probably I will learn something of it. In the worst case even valid code could be corrected by the browser since it could match a pattern that is used to filter invalided code blocks. That would be a real developers nightmare: hyper correcting browsers that are adjusting valid code blocks combined with all current known specific browser quirks.
However this hyper correcting behavior could make the web even more insecure. Microsoft will probably implement some protection in Internet Explorer 8, at first sight this is pretty nice, however there are quite some (amateur) developers that 'test' their websites in only one browser. After testing it in e.g. Internet Explorer 8 it assumed save and published on the Internet. However when using a different browser XSS is still possible and the visitor can still be harmed by these kind of attacks.
With all these hyper corrections you will be in the end only safe on the Internet depending on what browser you use. This is incorrect you should always be safe on the Internet no matter what browser you use. The developer is responsible for the security /usability of his web page/ application, not the browser! The browser should only be supportive to visit and use this page / application.
A dilemma for Personal Data protection in the digital age
Security breaches involving personal data and the inadequacy of the controls protecting this data in many organisations was brought to the top of the news agenda in late 2007, making it something of a watershed year regarding the security of electronically stored personal information at companies. Many businesses are now in the process of doing the work needed to answer the question: “are we next?” - IT security controls are being examined!
There has been a huge amount written about this; journalists have had a field day! I’ve read a lot of it and have no intention of continuing the feeding frenzy. Instead, I want to hone in on a particular aspect that intrigues me both professionally and personally, so I hope this will provoke some response.
It seems something of a paradox that a cornerstone in the IT security world’s blueprint for providing controlled access to personal data requires … the use of more personal data. I’m talking about Identity & Access Management (IAM) systems and the way that IAM needs strong digital credentials in order to validate online identities.
For most purposes today those credentials take the form of ‘secrets’ - passwords, pass-phrases, my mother’s maiden name, my favourite year etc. The evolution of IAM as a discipline within Information Security is demanding better, more robust online credentials. The result is we all have to offer more personal data, more shared secrets to ‘prove’ who we are when online.
There has been much abuse of this too. Like many people I’m sure, I get annoyed at being asked to provide personal information such as my home address, my age, my occupation and so on in order to make an online purchase. Why is that? If I walk into a shop I don’t have to tell the shopkeeper anything at all, so why should I risk giving it to an organisation that has little incentive to look after it properly? (- yes, I am implying that data protection legislation needs better enforcement!). This rather blatant data harvesting is not only annoying, it potentially puts my personal information at risk (- yes, I am implying that data protection legislation needs better enforcement!).
The demand for better and stronger IAM credentials is a movement, inevitably, towards greater use of biometric information. From an identity credential perspective this is great: here is my credential, a unique, digitised representation of the physical me! This biometric credential is surely much more difficult to subvert than a secret. Unlike a secret, which can be intercepted, stolen or negligently exposed, I can just present the real, unique, physical me to a reader (e.g. fingerprint or iris) and the digitised result is compared to a stored version of … ah, here’s a problem:
There must be a pre-existing, validated copy of my ‘digital body part’ stored electronically somewhere. Where does that information rank in terms of sensitivity of personal data? - Surely there’s no information more personal than this?
And, remember, this is all for the purpose of enforcing secure control on access to personal information. Isn’t that rather circuitous? There’s work to be done here!