W3C home > Mailing lists > Public > w3c-wai-ig@w3.org > April to June 2004

Re: Important to disable scripting in IE again.

From: David Woolley <david@djwhome.demon.co.uk>
Date: Mon, 14 Jun 2004 22:26:10 +0100 (BST)
Message-Id: <200406142126.i5ELQAt00687@djwhome.demon.co.uk>
To: w3c-wai-ig@w3.org

> Users should be informed to install and maintain anti-virus and
> firewall software as well as to stay current with patches and service

Neither of these is likely to be effective as the attack uses HTTP which
is allowed through the firewall and most malware disables virus checkers,
etc. as soon as it has landed.  Most of the damage is done either before
the virus checkers get updated or by the large residure of machines that
don't have any checking.

> packs.  None of these solutions, including disabling Active scripting,

The problem with this one is that it is not covered by any service pack
or hot fix and won't be until at least Wednesday and probably not until
a month on Wednesday.  The full bulletin actually indicates that there
are a number of vulnerabilities that haven't been patched for months.

In any case, one of the reasons that big name sites are scripting 
dependent is that they rely on end users being unaware of security 
issues, and are almost certainly very hazy about them themselves.  These
are very similar reasons to why they have poor general accessibility
(most end users don't know about accessibility, and most developers
don't know or don't care about it).

I actually find banks the most annoying, as they are the most vulnerable
in some ways, but they are also ones who have sites that only work with
scripting and have secure sites with domain names that differ from the
insecure site (you forgot to mention that people should be trained to
verify SSL certificates each time).   In particular, by forcing the use
of scripting, they make it easiest for users to leave it on, even when
accessing dodgy sites, and by changing the domain name, they force the
average user to do something rather technical in order to make SSL work
properly (SSL certificates, and people like Verisign, are unnecessary for
encryption; they are about authenticating that the site corresponds
to the domain that you are accessing - not the one you meant to access -
this isn't really an accessibility thing, but does illustrate the lack
of security awareness amongst web site designers for what should be 
the most secure sites).

(Incidentally, although there is no indication of a Microsoft bulletin on
this issue, Microsoft have, themselves, reccommended disabling scripting
for past vulnerabilities.)
Received on Monday, 14 June 2004 17:42:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 13 October 2015 16:21:28 UTC