I’m unclear on the difference between reducing trusted base and reducing privilege. The two examples given seem rather analogous. In one case, a string is provided which should be turned into an email address. In another case, a string is provided which should be turned into an IP address. In neither case do we want the helper program to run off and copy all our secret files to some rando server.

The failure in Netscape’s case seems to be that they used a longer running process, that processed multiple inputs and therefore allowed compromise to spread. I think that could have been made clearer. Netscape appears to be doing exactly what he advised in the previous section; they just did it poorly.

Even poorly implemented, I’m not sure it’s a great example because DNS, in its entirety, is outside the browser’s secure base. That’s one of the reasons we have https. Because DNS is untrustworthy. Netscape’s design seems to adequately insulate the computer and my files on it, from the scary untrusted network outside my computer. It doesn’t insulate one bad DNS request from another because all of DNS is outside the isolation box.