In a historic agreement, the makers of Firefox, Internet Explorer, Opera, and Konqueror have agreed on a common set of security features that will be implemented into future versions of their respective browsers. The developers of the four applications had been in discussion for some time over ways in which they could make browsing safer by making it more obvious to users when a site is trying to pull a fast one on them.
1. Disable Javascript/Active Scripting by default and set up a whitelist to which the user can add sites with two/three mouseclicks or keyboardshortcuts.
2. Think about other things to take care of the remaining 10% of security holes.
The above agreement is more a joke than historic IMHO. A missing super certificate wasn’t exactly the source of the security problems.
What particular security issues are there associated with Javascript?
Loads man, quite a few of the vulnerbalities are due to Javascript. Just take a look at the IE/Firefox/Opera section at secunia.com. Using something like the NoScript extension is avery good idea. And less annoying web objects as well. Can’t wait for the day when Firefox-core will allow me to whitelist cookies/javascript/flash and referrers per site.
That is due to vulnerabilities in the implementation. Javascript is not inherently insecure or a vulnerability.
… four browser vendors simultaneously reaching agreement voluntarily is a historic event. Breakthrough even.
Green adressbars and supercetificates is not the end all be all, but it’s a start.
whats realy impressive is that microsoft’s browser is one of them. with this and the planed release of the office file formats, im starting to wonder if its cold down in hell…
Does Firefox’s yellow address bar on secure sites solves the issue?
The yellow bar just mean this site uses encrypted connection. Anyway, at current we don’t have something to show that the “known” encrypted site is the real site or not.
I already don’t understand the certificate system, and often don’t bother, except for clicking yes if a site won’t load otherwise.
Of course I rethink clicking yes for dubious sites, but if enough pages won’t work without certification, I get easily worn down.
What can you do when even hotmail and a large number of sites are not using properly matched certificates. IE doesn’t show me a warning message for hotmail, but Firefox comes up with a great big ludicrous death threat of a dialog confusing the hell out of the end user. This needs to be simplified, and an agreement between all major browser vendors is a small step to begin with, but worthwhile.
What particular security issues are there associated with Javascript?
Several when used for phishing, like hiding locationbars and different stuff related to pop-ups. Issues this agreement seeks to fix. Like: “It will also prevent pop-ups that mimic system messages from being displayed.”
What particular security issues are there associated with Javascript?
Just have a look at the big IE security holes and how many of them still work when Active Scripting is disabled: Almost none.
Ironically I have to praise Microsoft here, since their IE security pack for Windows Server 2003 does almost what I proposed at point 1: It locks down the “Internet Zone” to the level “High” by default and thereby disables any so called active content on every website, except for the sites which are added to the “Trusted Zone”. Unfortunately they overshoot the mark a bit by eg disabling any kind of downloads from all sites which aren’t specifically marked as “trusted” instead of fixing the broken/non-existing MIME type handling of IE and Windows.
except for the sites which are added to the “Trusted Zone”.
how should the average internet surfer determine which sites to trust?
how can one know if the admin running any site is competent? simple, you cant.
the “Trusted Zone” is nothing more than a ms ploy to make windows IE users feel safe.
Then that’s the users fault, not IEs.
Active Scripting != Javascript
The security holes come from scriptable ActiveX controls. Instead of just turning Javascript off, you can just disable scripting of ActiveX controls for untrusted sites.
There are no inherent security issues with Javascript.
In a historic agreement, the makers of Firefox, Internet Explorer, Opera, and Konqueror have agreed on a common set of security features that will be implemented into future versions of their respective browsers. The developers of the four applications had been in discussion for some time over ways in which they could make browsing safer by making it more obvious to users when a site is trying to pull a fast one on them
>
>
Was Konqueror considered anything other than a *JOKE*?
It’s almost as bad as the various *Vaporware Browsers* that keep floating around in the Amiga community
“Was Konqueror considered anything other than a *JOKE*?”
Konqueror is the best browser available when using KDE. The integration is superb, the program is blazing fast, and it has some killer features, like when I reboot, it automatically opens the web pages where I was when the OS was halted (not so with Firefox). I also may remind you that neither Firefox nor IE (not to mention Opera) has yet to pass the Acid2 test. Konqueror’s development version (3.5 I bet, coming out next week) passed it a long time ago.
I consider your post as a joke.
Was Konqueror considered anything other than a *JOKE*?
It’s almost as bad as the various *Vaporware Browsers* that keep floating around in the Amiga community
You haven’t used Konqueror in ages, have you?
May I suggest to give it a try? It has become my browser of choice when I’m on Linux (previously it was Firefox, which I used since it was called Phoenix). On Windows I use Opera, waiting for the Konqueror port coming with 4.0.
Konqueror is a fantastic web browser and file manager. Apparently you dont know it. I suggest you to try it with a nice Linux distrib as openSuSE-10.0.
Have a nice day
Konquerors engine KHTML is even used in newest Nokia browser on Series 60. And Konqueror is really great, the only thing I’m missing is adblock, which comes out with KDE 3.5 Release date 29. November.
“high assurance” certificates?
What exactly is that?
“Firefox, IE, Opera, and Konqueror will implement the new security features in upcoming versions, and will support the creation of a new “super-certificate” as described above.”
Who is creating that?
From TFA
The only major player missing is Apple, whose Safari browser is widely used on Mac OS X. Apple could not be reached for comment on whether it would support the new features in upcoming versions of Safari
Right, but if Konqueror will support it and Safari is based on Konqueror then Apple will be included(Unless Jobs or others in Apple’s management decide the contrary and disable it)
Or am I wrong?
You’re wrong: most of suggestions are based around UI, and Apple’s Safari shares no UI code with Konqueror. Further, as the big storm last Summer showed, Apple’s webkit has diverged quite a bit from Konqueror, so it won’t be easy for a change in Konqueror to make it’s way into Webkit. What’s more likely is that Apple will create it’s own special Apple version of these suggestions.
Please don’t use “TFA” here, this is not slashdot, I don’t want it to even be marginally like slashdot and OSNews links to more respectable news (bar a few misses) than slashdot ever will.
(no content)
The full story about how it got going is available at http://dot.kde.org/1132619164/
It’s a pity the Ars Technica story didn’t mention the link.
I was thinking of a way to replace the DNS system this morning. As a solution to “who owns the internet” problem. As a side effekt the solution I was thinking of would have to solve this phishing problem.
Instead of an assigned named that a root server can testify is yours. You claim a name by simply publishing PGP signed data. The key would claim the name.
A naming conflict would simply be solved by the users trust of the keys, you know web of trust.
This means that everything your browser recieves is signed. Thus you “know” if you can trust it or not.
Edited 2005-11-25 12:54
Actually konqueror was the reason I am now a Gnome user.
Without having read the article, I thought I’d jump in to fan the flames of war.
The best you could for security for all these browsers that I see today and which would not take a lot of money and outlandish effort is to install it on Mac OS X.
There, I’ve said it.
Pick me apart, start here:
The article is about indicating the trustworthiness of the various CAs (something not addressed by Safari) and about notifiying users about phishing attacks (something addressed neither by Safari nor Apple Mail).
Here’s how to get a slightly non-technical user (think one of your parents) to hand over their details to an attacker.
Send an email saying, for example, that their Paypal account needs renewing (you could always use American Express, Mastercard, or other items if you wanted). In the email tell them to click on the following renewal address:
http://www.paypal.com/isdir.dll?dsafsd=sdfsadf&cxvxcv=345DF3&xcvx=2…
The user opens that in Apple mail, clicks on the link, it loads in Safari with no warnings, and they enter their paypal details.
In case you haven’t figured it out yet, everything between http:// and the @ symbol is just a username, the user is actually entering their confidential details at the site http://165.45.21.56/ad3224
Apple’s internet software has no protection against phishing attacks, and no obvious way of alerting users to the trustworthiness of the websites they view. Konqueror, IE and Opera are all well on their way to implmenting these things, and Outlook 2003 SP2 and the upcoming Thunderbird 1.5 have some significant phishing-detection systems built in.
I think you’ll find that if, in the future, you read more and post less, you’ll be a lot more informed.