Comments on: Let’s fix the Web

By: Fixing the Web with GNU

Fixing the Web with GNU — Fri, 05 Sep 2008 23:05:24 +0000

[...] think fixing the web is a solid idea and more people should take securing their important stuff seriously, school boy errors affect more than school boys. This entry was posted in Hacks, Web Design, Web [...]

By: Google Chrome | GNUCITIZEN

Google Chrome | GNUCITIZEN — Tue, 02 Sep 2008 13:45:16 +0000

[...] down to Web related bugs. I believe that Google Chrome lacks mostly that and if they decide to implement any of recommendations then in my eyes, I will certainly have a winner in the upcoming browser wars. » more | [...]

By: Liquidmatrix Security Digest » Security Briefing: September 2nd

Liquidmatrix Security Digest » Security Briefing: September 2nd — Tue, 02 Sep 2008 11:14:42 +0000

[...] Let’s fix the Web | GNUCITIZEN [...]

By: pdp

pdp — Mon, 01 Sep 2008 12:16:49 +0000

mindcorrosive, well you cannot be 100% sure but you still trust some networks more then others. the plugin will detect if you are changing network settings and thus will ask you how much you trust the network you are in. if you are not trusting it as much as your home network then the plugin will match any data it gets from the web apps you are visiting against a trusted model built previously. I think that it makes sense.

Jeff, I think that the project is very interesting but I doubt that you will be able to force it on developers. WebApp firewalls are such a hot topic at the moment simply because you don’t have to deal with developers. They are not perfect but provide that transparency that satisfies most people. My proposal for this firefox extension aims to do to the client-side what webapp firewalls do for the server-side. No more then that - a simple, elegant, yet effective solution.

By: Jeff Williams

Jeff Williams — Mon, 01 Sep 2008 03:32:24 +0000

It’s not easy to do all of the things in your list in some environments. The OWASP ESAPI project is defining an security API that encourages developers to do these things. The Java implementation has been released for almost a year, and the .NET and PHP implementations are in progress.

By: mindcorrosive

mindcorrosive — Sun, 31 Aug 2008 20:32:31 +0000

pdp: still, it boils down to “trust”. How much do you trust your ISP? Your government? Yahoo and Google, for that matter?
Without a trusting model from the bottom up, it is impossible to guarantee security - it is simply “security by obscurity”, i.e. malicious crackers lack the sheer labor force to harvest the web and the average inhabitants at large scale, giving the imagery of “security”. Please note that I don’t underestimate your efforts in that respect, I just point out what is probably obvious to everyone.

I agree that secured connections are the way to go, but what good is an 4096-bit SHA-1 encrypted SSH connection to a non-trusted host?

I would suggest that both parties need to identify each other - both the server and the client. What is done today is server-side only, in most occasions. Client-side is still dependent on the human factor - and that probably constitutes the largest share of security breaches these days. Why not issuing a government-signed certificate to everyone - the way we get ID papers? Of course, that creates more problems along a way, but might be a solution in the near future.

By: pepe

pepe — Sun, 31 Aug 2008 19:53:11 +0000

yeah…lets make millions of websites, millions of lines of code secure by telling everyone what rules they should obey…it worked so well for open smtp relays..it works so well for phishing…

Lets just list all the things that could break and implement a measure against it. It works so well with AV software suites…

Its good to be in the security field: Everyone constantly assures that there’s new work to do next week..

By: pdp

pdp — Sun, 31 Aug 2008 18:20:31 +0000

just me, yes!

mindcorrosive, you are right but this is exactly why some mainstream applications like GMail and Yahoo Mail will be protected by default. Also, I am thinking that the browser should ask you how much you trust the current network, every time the network settings change.

adrian, why not? we force SSL, we compare the self-signed signatures against a list of SHA1 collected while being on a trusted network, we force secure and httpOnly cookies. this setup should make you feel save even on very unsafe networks.

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sun, 31 Aug 2008 13:06:30 +0000

It’s worth it mentioning that if someone is in the same Wi-Fi network as you, SSL alone won’t protect you against session hijacking:

https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
http://enablesecurity.com/2008.....-save-you/

By: mindcorrosive

mindcorrosive — Sun, 31 Aug 2008 12:29:12 +0000

Your ideas, of course, suggest that the users are educated about secure browsing and are impenetrable to stupidity - which is hardly the case, considering the amount of non-technical privacy and security breaches we see these days.
The power users already know how to fix the things and do not need much more security - it’s all the others irresponsible individuals that need to be educated in the first place, instead of trying to invent an imaginary fool-proof technology..

By: just me

just me — Sun, 31 Aug 2008 09:50:05 +0000

Your ideas are very good, I wonder if a similar thing can be done for other commonly used web site applications, such as phpNuke and Invision Power Board