Re: Rule breaking on the Web

Mark Baker wrote:
> I thought I'd respond to this, since it's important and it reflects an
> unfortunately common theme found in some recent attempts to improve
> the Web (e.g. HTML5 & content type sniffing).
> 
> On 2/20/08, Jonas Sicking <jonas@sicking.cc> wrote:
>>  > Also, I have no pity for any Web admin who suffers harm as a direct
>>  > result of permitting badly designed Web apps to be deployed on their
>>  > servers.
>>
>> I guess that is where we are different. I try to protect the people that
>>  are currently deploying websites. As best I can. Not just the people
>>  that perfectly follow all specs and know all the latest and greatest
>>  security recommendations.
> 
> By not following specs, they're not playing by the same rules that the
> rest of the world has agreed to play by.  You don't change the rules
> just because a minority violate them.  You educate the minority so
> that they understand the problems they've created for themselves, and
> appreciate the value in fixing their mistakes.

The "people should be smarter" fix is a very tempting one, but generally 
doesn't work. It's hard to make people smarter.

Lets take CSRF as an example. CSRF issues are very common today. Loads 
of sites are vulnerable to it. Word is definitely spreading about the 
problem and more and more sites get fixed. But there are also more and 
more sites popping up every day so I'm not convinced that the number of 
vulnerable sites is actually decreasing.

Sure, you could say "it's the sites fault, they can protect themselves", 
and while that is true that doesn't change the fact that they don't and 
as a result the internet is a less secure place.

Ideally I would like to disable the ability to do cross site <post>s 
unless the target site opts in (using for example the Access-Control 
spec). The two reasons we don't make that change in mozilla is that:

1. It would break the web
2. Old deployed browsers still are allowing cross-site POSTs and so
    changing the model in a new browser invites a false sense of
    security.

My point is that just blaming people for not being smart enough is not 
very productive.

> Otherwise, over the
> long term, entropy would win and eventually kill interoperability, or
> at least greatly increase the barrier to entry for new players.
> That's behaviour I'd expect of monopolists, not Google, Mozilla or
> Opera.

I'd rather say that saying "only smart people are allowed to deploy 
websites" is monopolistic and will discourage the open web we have today.

/ Jonas

Received on Thursday, 21 February 2008 19:56:12 UTC