RE: Important to disable scripting in IE again. from Kurt_Mattes@bankone.com on 2004-06-15 (w3c-wai-ig@w3.org from April to June 2004)

From: <Kurt_Mattes@bankone.com>
Date: Tue, 15 Jun 2004 08:37:53 -0400
To: <david@djwhome.demon.co.uk>, <w3c-wai-ig@w3.org>
Message-ID: <B239BEDED044074C8E2CCC3A9162F2A90A26D87D@swilnts804.wil.fusa.com>
> Most of the damage is done either before the virus checkers get updated
> or by the large residure of machines that don't have any checking.

Are you suggesting that anti-virus and firewall software is useless or
that more machines should use it and keep it updated?

> The problem with this one is that it is not covered by any service pack
> or hot fix and won't be until at least Wednesday and probably not until
> a month on Wednesday.  The full bulletin actually indicates that there
> are a number of vulnerabilities that haven't been patched for months.

Are you suggesting that service packs and hot fixes are useless.  As I 
stated before, life involves some risks.  Disabling scripting will not 
eliminate all possible risks associated with the Internet.  Perhaps 
more pressure should be put on those responsible for creating patches.

> In any case, one of the reasons that big name sites are scripting 
> dependent is that they rely on end users being unaware of security 
> issues, 

Generally speaking, they are.

> and are almost certainly very hazy about them themselves.

On what facts do you base this bold statement?

> These are very similar reasons to why they have poor general 
> accessibility(most end users don't know about accessibility, and most 
> developers don't know or don't care about it).

Seems to me more effort to educate is needed.

> I actually find banks the most annoying, as they are the most vulnerable
> in some ways,

Please elaborate on the ways you think they are most vulnerable.  Targets
that appear to have high potential value - yes, but most vulnerable - 
doubtful.  Banks have billions of reasons to spend millions on 
vulnerability.

> have secure sites with domain names that differ from the insecure site 

And the problem here is?

> (you forgot to mention that people should be trained to verify SSL 
> certificates each time)

A good point!

> In particular, by forcing the use of scripting, they make it easiest for > users to leave it on, even when accessing dodgy sites,

Perhaps user agents/browsers should allow users to activate/de-activate
scripting based on URLs.  Like it or not, scripting is here to stay.  We
need to find ways to make it accessible and safe.

> they force the average user to do something rather technical in order to > make SSL work properly

I need to be educated about this one.  What is the rather technical thing
a user needs to do to make SSL work properly?

> they are about authenticating that the site corresponds to the domain that 
> you are accessing - not the one you meant to access -

Are you saying the user went to the wrong site?  Wouldn't that be user
error?  Banks with sites I am familiar with usually have several web sites
to meet the needs of different groups of users (non-online customers,
online customers, potential customers, businesses, consumers, etc.).  

> does illustrate the lack of security awareness amongst web site 
> designers for what should be the most secure sites

Agreed, designers should not be responsible for data security, that is
the job of security departments.  Please don't imply that bank sites
are not among the most secure sites unless you have some facts to 
support this claim.  I believe the rise in phishing incidents indicates
just how difficult it is to hack bank sites.  Hackers have resorted to
this tactic because it IS extremely difficult to break into a bank via
their web sites.  And if you are thinking of identity theft, most of
these incidents occur without the use of bank web sites.  For example, 
you are far more likely to have your credit card information stolen in
a retail establishment than over the web.

> (Incidentally, although there is no indication of a Microsoft bulletin on
> this issue, Microsoft have, themselves, reccommended disabling scripting
> for past vulnerabilities.)

Only as a very temporary preventative measure.  Given that Microsoft 
products seem to be a choice target for many scripting attacks, perhaps
more pressure needs to be put on them to close the gaps that allow these
unscrupulous tactics before others find them.



-----Original Message-----
From: w3c-wai-ig-request@w3.org [mailto:w3c-wai-ig-request@w3.org]On
Behalf Of David Woolley
Sent: Monday, June 14, 2004 5:26 PM
To: w3c-wai-ig@w3.org
Subject: Re: Important to disable scripting in IE again.



> Users should be informed to install and maintain anti-virus and
> firewall software as well as to stay current with patches and service

Neither of these is likely to be effective as the attack uses HTTP which
is allowed through the firewall and most malware disables virus checkers,
etc. as soon as it has landed.  Most of the damage is done either before
the virus checkers get updated or by the large residure of machines that
don't have any checking.

> packs.  None of these solutions, including disabling Active scripting,

The problem with this one is that it is not covered by any service pack
or hot fix and won't be until at least Wednesday and probably not until
a month on Wednesday.  The full bulletin actually indicates that there
are a number of vulnerabilities that haven't been patched for months.

In any case, one of the reasons that big name sites are scripting 
dependent is that they rely on end users being unaware of security 
issues, and are almost certainly very hazy about them themselves.  These
are very similar reasons to why they have poor general accessibility
(most end users don't know about accessibility, and most developers
don't know or don't care about it).

I actually find banks the most annoying, as they are the most vulnerable
in some ways, but they are also ones who have sites that only work with
scripting and have secure sites with domain names that differ from the
insecure site (you forgot to mention that people should be trained to
verify SSL certificates each time).   In particular, by forcing the use
of scripting, they make it easiest for users to leave it on, even when
accessing dodgy sites, and by changing the domain name, they force the
average user to do something rather technical in order to make SSL work
properly (SSL certificates, and people like Verisign, are unnecessary for
encryption; they are about authenticating that the site corresponds
to the domain that you are accessing - not the one you meant to access -
this isn't really an accessibility thing, but does illustrate the lack
of security awareness amongst web site designers for what should be 
the most secure sites).

(Incidentally, although there is no indication of a Microsoft bulletin on
this issue, Microsoft have, themselves, reccommended disabling scripting
for past vulnerabilities.)



**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you
**********************************************************************
Received on Tuesday, 15 June 2004 08:38:31 UTC