Mozilla informs us to have taken new security measures in Firefox 3 to prevent cross-site scripting, but according to a wellknown security researcher this is completely to the contrary, and by implementing this the browser will only get less secure. Recently an open-source developer let us know that Firefox 3 would give support to the coming W3C specification to secure XML over HTTP requests. This is a wellknown way to perform cross-site scripting (XSS) attacks.
“Not only will this technique not preventagainst XSS exploits, that is one thing. It will also increase the attack platform, because attackers may abuse this technology like they did with Adobe’s crossdomain.xml. Furthermore the proposed W3C specification has an insecure outlay”, according to Petko Petkov. The researchers explains in an article what is wrong with this technology and gives various examples of potential assaults.
“Please, please, please do not implement the standard of this. Are you blind? You’re opening a next can of worms (literary). And don’t tell me the specification prevents XSS. That is not so. I foresee that W3C developers are going to allow all sorts of thrilling things on line, but is it worth the price to pay? Tell me, because I cannot see inside their heads”, Petko warns. The researcher will soon launch a report on Web 2.0 security, but he let us know in advance the future is full of gloom.
Read: http://www.gnucitizen.org/blog/i-dont-think-that-you-understand-firefox3-vulnerable-by-design
Well if the W3C specification becomes a standard then it won’t just be firefox, version 3 or other wise that will be less secure if browsers are to support standards.
But why come up with insecure standards in the first place? Is security a minor concern over versatility and new web features. If we are encouraging these attitudes, we should not complain if people start to behave like sheeple, because we educate that way. I think that the message of people that are concerned with in-browser-security like yours truly are actually falling on deaf ears.
It is almost like some parties want the situation we have at hand, and almost no one cares one hoot.
But your Title doesn’t say that it says FF 3.0 is going to be less secure, but the topic is nothing to do with FF but the insecure standard. That was the whole point of my response, it is the so called insecure standard which standards compliant browsers will suffer as a result of.
This in much the same way as activeX brought great functionality to IE but brought with it huge potential for exploit.
It has to do with FF 3.0 where the developers have stated they would follow the standard. They could also have decided to follow a more secure technique or variety of this standard protocol for that reason. IE has done so in the past as well, but for other reasons than security or standardization (remember the M$ versus Java case, etc.). By implementing an insecure standard they make a secure browser more insecure. I think the development was started by a developer of the Opera browser, but why start out with an insecure standard as such is beyond me.
But then malware authors also profit of SSL standards to get their malicious code easier and encrypted onto your box, so it is only a formal discussion I think. How do you see this?
A browser developer has to take a decision it is either going to be standards compliant or we are going to have the same mess with a non-standard IE and its proprietary functions coded on web sites that don’t display correctly in standards compliant browsers.
IE & is starting to be more standards compliant in that some sites are effectively broken when viewed with IE7 if the web designer hasn’t standardised the code on his web site.
I feel there is no way I would stick with a non-standards compliant browser. We, the end user aren’t even a blip on the radar of the standards or browser developers. So all we can do is choose what browser to choose, as can you, but I don’t spend time worrying about things outside my control.