- From: David Woolley <david@djwhome.demon.co.uk>
- Date: Mon, 14 Jun 2004 22:26:10 +0100 (BST)
- To: w3c-wai-ig@w3.org
> Users should be informed to install and maintain anti-virus and > firewall software as well as to stay current with patches and service Neither of these is likely to be effective as the attack uses HTTP which is allowed through the firewall and most malware disables virus checkers, etc. as soon as it has landed. Most of the damage is done either before the virus checkers get updated or by the large residure of machines that don't have any checking. > packs. None of these solutions, including disabling Active scripting, The problem with this one is that it is not covered by any service pack or hot fix and won't be until at least Wednesday and probably not until a month on Wednesday. The full bulletin actually indicates that there are a number of vulnerabilities that haven't been patched for months. In any case, one of the reasons that big name sites are scripting dependent is that they rely on end users being unaware of security issues, and are almost certainly very hazy about them themselves. These are very similar reasons to why they have poor general accessibility (most end users don't know about accessibility, and most developers don't know or don't care about it). I actually find banks the most annoying, as they are the most vulnerable in some ways, but they are also ones who have sites that only work with scripting and have secure sites with domain names that differ from the insecure site (you forgot to mention that people should be trained to verify SSL certificates each time). In particular, by forcing the use of scripting, they make it easiest for users to leave it on, even when accessing dodgy sites, and by changing the domain name, they force the average user to do something rather technical in order to make SSL work properly (SSL certificates, and people like Verisign, are unnecessary for encryption; they are about authenticating that the site corresponds to the domain that you are accessing - not the one you meant to access - this isn't really an accessibility thing, but does illustrate the lack of security awareness amongst web site designers for what should be the most secure sites). (Incidentally, although there is no indication of a Microsoft bulletin on this issue, Microsoft have, themselves, reccommended disabling scripting for past vulnerabilities.)
Received on Monday, 14 June 2004 17:42:41 UTC