Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion


"Over-Draconian" browser security??

By Stephen Howard-Sarin ·
Jason actually said that Vista's IE7 security feautures might be "over-Draconian"! Aside from the amusing invention of a term, do you really think that it's possible Microsoft will ship something that's locked down too tight?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

re: Desktop OSes (including Linux)

by apotheon In reply to Desktop Linux

"First of all, I didn't mention Desktop Linux. I'm counting Windows and Mac."
Funny -- that's not what you said in your previous comment. You just referred to "desktop" OSes in general. If you meant that Windows is the "most secure" of MacOS and Windows, you should have said so.

"Linux runs great as a Server operating system, but it's arguable if it is mature enough to serve as a desktop OS."
I'd argue that Windows lacks some maturity as a desktop OS. It still doesn't employ strict privilege separation in the core architecture, for instance. In fact, that is relevant to your commentary about IE7 running under a separate user I as long as strict privilege separation is not fully implemented, the threat of privilege escalation renders that security configuration a half-measure at best.

Perhaps Linux is not the perfect desktop OS in general terms. Neither is Windows, so this argument against Linux is spurious at best.

"If you were using Desktop Linux, I believe you would have to manually set up something to run the browser under different user permissions as the user."
It's true that this is not default behavior. Thanks to other factors in platform security, however, it's not really a problem -- and at least it's possible to configure it that way, whereas implementing strict privilege separation (and other security advantages that are standard on Linux systems) on a Windows install is not currently possible.

Windows has the edge on things like widespread familiarity and user-obsequious "wizards". It falls short on security and stability. C'est la vie.

Collapse -

Consider yourself corrected

by Deadly Ernest In reply to Desktop Linux

I have been trying out various versions of Linux in recent months and have found several that have a default installation very suitable for end user desktop usage. In every case the default installation has included a browser, sometimes Fire Fox sometimes something else, that works perfectly for every basic user.

Collapse -

Neither Sally the Admin nor Charlie the CEO ...

by Too Old For IT In reply to You think so?

... can use it, therefore it will never happen. At least not until there is a universal Linux that works out of the box for someone who know naught but Windows (maybe) and is delivered on 99% of the home machines out there.

Admins make the enterprise go `round!

Collapse -

Draconian Browser Security settings.....

by Jaqui In reply to "Over-Draconian" browser ...

My default settings for any web browser:
NO FLash player.
No shockwave player.
No media player plugin
No PDF support
No Java support
No Javascript support
Delete ALL Certificate Authorities from the trusted list.
Delete all included certificates.
[ if running windows, expect this to crash the os..permanently ]
Cookies, from originating site only.
images, from originating SITE only.
popups, block them, completely, don't indicate that there was one blocked.

since I only use linux, I don't have to worry about activex, I don't install the open source package that supports it.

This is exactly what every browser I use is set to. Since mozilla's Seamonkey has pdf support built into it, I actually have to get into really detailed settings dialogue to disable it.

Collapse -


by rkuhn In reply to Draconian Browser Securit ...

Can you surf any web pages?

Do you still use Notepad instead of Word? Oh wait, that would be OpenOffice? Do you do anything that isn't command line?

Just kidding.

There is such a thing as the difference between security and functionality called risk assessment.

Your everyday computer user would not be happy with your settings. And you wouldn't last long at 99.9% of companies if that was your security policy.

Collapse -

too bad for them.

by Jaqui In reply to Wow

they are getting stolen from with clientside scripting, it is LEGALLY required that your clientside scripted website pays visitors for cpu usage.

also, clientside scripting is the biggest risk to system security in web technologies.

the biggest web based exploit is cross site scripting / sql injection exploits, which compromises the database, some even granting adin privs to server. [ bad site design practice ]
What is there that is REQUIRED information that cannot be supplied in text format on a website?
nothing, everything that a site visitor needs can be presented in text format, when I run across those few sites that are completely unusable, I just take my business elsewhere.

Collapse -

Theory vs Reality

by rkuhn In reply to too bad for them.

I agree with you 100% but just making the observation that where the theory meets the pavement your arguments fall apart.

It wouldn't be difficult to create the most secure OS/browser in the world or take an OS or browser and properly secure it.

But it would have such limited functionality and features that few would be interested in it.

You may disagree with most, but most people prefer eye candy, features, functionality, etc. Few enjoy surfing the web in text only. That isn't realistic.

As an IT professional, it's our jobs to give them what they want and then find a way to secure it. Not the other way around.

We don't secure everything and then tell them what they can and cannot do.

Collapse -

Payed for securing

by Jaqui In reply to Theory vs Reality

means secure it.
they want functionality in addition, then they have to sign off on the reduction in security.

I have no problems accessing the vast majority of websites, I have no problems opening files in Koffice. [ though I send back and ms office documents, with a warning that sending virally infested files like that again will have their domain blacklisted. ]
[ open office requires that ballsup called java to function right, and I won't install support for it ]

Collapse -

Just gotta ask, from a business perspective

by Too Old For IT In reply to Payed for securing

... what you do if/when you are contacted by a wall-to-wall Microsoft shop, especially one that is in new media, multimedia, web design, content-over-then web (and so on)?

Just askin ...

Collapse -

He Would

by rkuhn In reply to Just gotta ask, from a bu ...

Convert them all overnight to Linux because he has some magical powers that you and I don't possess.

While I'd agree with many of the points our Linux brothers bring up time and time again, they just don't live in the real world.

Their theories might apply to their PC network at home in their basement, but getting some businesses to convert to anything other than Microsoft is damn near mission impossible.

These conversations are fun and interesting, but CEO's, CIO's, and CFO's don't care. They'll gladly go along with the status quo.

Related Discussions

Related Forums