1. 41

  2. 12

    The TL;DR on this is:



    1. 3

      s/TL;DR/spoiler/ ;)

    2. 6

      The response of “n-gate”: http://n-gate.com/software/2017/07/12/0/

      It’s a shame that people are using web browsers (note: not my website, but BROWSERS) as attack vectors.

      A good start would be for browsers to block all scripts (JavsScript, turing complete CSS?, …) from working at all on non-HTTPS sites and block things like form submits.

      1. 3

        This argument doesn’t quite make sense to me. Just because n-gate doesn’t do any of those things doesn’t mean an Eve sitting between us can’t add them. Comcast literally does this to notify people when they’re getting close to bandwidth caps; it’s not even theoretical. (And it doesn’t require shoving something Turing-complete in there, anyway; a simple <div> does the trick just fine. Or even rewriting some text to say the opposite of what n-gate would say.)

        And on that note, even if you did block all Turing-complete stuff by default, you still might have a zero-day in e.g. an image processing lib, and if you allow Eve to inject arbitrary content, that’s still an attack vector.

        I generally enjoy reading n-gate rants, but this one’s just wrong.

        1. 1

          a simple does the trick just fine

          sure but there can’t be any active content in that case, huge reduction of attack surface.

          you still might have a zero-day in e.g. an image processing lib

          it it not about eliminating all security risks, there is always a risk, e.g. opening Word documents or PDFs. It is about reducing it.

      2. 3

        I have a post scheduled to go live about this very this tomorrow morning. I’ve added the site to my post!


        1. [Comment from banned user removed]

          1. 5

            I guess it does. Even though we have seemingly reached the tipping point, the hard part now is to get the rest on HTTPS. It does help with browsers telling you about it.

          2. 2

            More like a PSA but still useful imho.

            1. 1

              Anyone who perpetuates the bullshit scam linked under “HTTPS is slow” has no integrity and no right speaking to anyone about security.

              1. 1

                Thanks for the insight!