- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 21 Feb 2008 11:55:53 -0800
- To: Mark Baker <distobj@acm.org>
- Cc: Anne van Kesteren <annevk@opera.com>, public-appformats@w3.org
Mark Baker wrote:
> I thought I'd respond to this, since it's important and it reflects an
> unfortunately common theme found in some recent attempts to improve
> the Web (e.g. HTML5 & content type sniffing).
>
> On 2/20/08, Jonas Sicking <jonas@sicking.cc> wrote:
>> > Also, I have no pity for any Web admin who suffers harm as a direct
>> > result of permitting badly designed Web apps to be deployed on their
>> > servers.
>>
>> I guess that is where we are different. I try to protect the people that
>> are currently deploying websites. As best I can. Not just the people
>> that perfectly follow all specs and know all the latest and greatest
>> security recommendations.
>
> By not following specs, they're not playing by the same rules that the
> rest of the world has agreed to play by. You don't change the rules
> just because a minority violate them. You educate the minority so
> that they understand the problems they've created for themselves, and
> appreciate the value in fixing their mistakes.
The "people should be smarter" fix is a very tempting one, but generally
doesn't work. It's hard to make people smarter.
Lets take CSRF as an example. CSRF issues are very common today. Loads
of sites are vulnerable to it. Word is definitely spreading about the
problem and more and more sites get fixed. But there are also more and
more sites popping up every day so I'm not convinced that the number of
vulnerable sites is actually decreasing.
Sure, you could say "it's the sites fault, they can protect themselves",
and while that is true that doesn't change the fact that they don't and
as a result the internet is a less secure place.
Ideally I would like to disable the ability to do cross site <post>s
unless the target site opts in (using for example the Access-Control
spec). The two reasons we don't make that change in mozilla is that:
1. It would break the web
2. Old deployed browsers still are allowing cross-site POSTs and so
changing the model in a new browser invites a false sense of
security.
My point is that just blaming people for not being smart enough is not
very productive.
> Otherwise, over the
> long term, entropy would win and eventually kill interoperability, or
> at least greatly increase the barrier to entry for new players.
> That's behaviour I'd expect of monopolists, not Google, Mozilla or
> Opera.
I'd rather say that saying "only smart people are allowed to deploy
websites" is monopolistic and will discourage the open web we have today.
/ Jonas
Received on Thursday, 21 February 2008 19:56:12 UTC