Threads for ponguile

  1. 4

    This circumvents Microsoft’s anti-hijacking protections that the company built into Windows 10 to ensure malware couldn’t hijack default apps. Microsoft tells us this is not supported in Windows


    1. 21

      Beware companies claiming they do something for the security of their users when it also affects their bottom line. Security, “anti-hijacking” and related terms are often used manipulatively (especially in EULAs!).

      Restricting browser defaults choice is not an effective security feature for protecting user security or privacy:

      1. Situation: viewing malware sites and suffering a drive-by-attack: I have no reason to believe Edge to be better (on average) than other major browsers.
      2. Situation: malware addons: I have no reason to believe Edge to be better (on average) than other major browsers, all addon sites have reports of malware addons or addon authors turning bad (eg selling control of their successful addon).
      3. Situation: malware already running on your computer, wants to change your default browser: by this point it’s too late, making ‘changing the default browser’ more obscure is not an effective defence of a user’s security or privacy.

      Making it harder for users to change browser (and directly suggesting they do not do it with a little info box when they try, as Win10 does) is an effective method of enforcing market security. That’s not user security.

      You start to get a sense of manipulation when you read Microsoft’s statements about edge and privacy::

      Like all modern browsers, Microsoft Edge lets you collect and store specific data on your device, like cookies, and lets you send information to us, like browsing history, to make the experience as rich, fast, and personal as possible.

      That’s straight out false. Not “all modern browsers” send information like “browsing history” to their makers. Notice how they have designed this sentence to make it feel normal and acceptable.

      Whenever we collect data, we want to make sure it’s the right choice for you.

      Uhuh. Is that the only reason you share data? Somehow you must be making money off this, otherwise you wouldn’t be doing it, right?

      For example, we share your content with third parties when you tell us to do so, such as when you send an email to a friend, share photos and documents on OneDrive, or link accounts with another service.

      Manipulative writing by business’ like this makes me ill. In a different content (eg flyers in your letterbox) this style of writing would be considered scam material.

      1. 12

        Mozilla has been trying to convince Microsoft to improve its default browser settings in Windows since its open letter to Microsoft in 2015. Nothing has changed, and Windows 11 is now making it even harder to switch default browsers.

        Microsoft and anti-competitive practises go hand in hand, nothing to be surprised about.

        1. 4

          Was more concerned about the obvious security implications! If ff can do it, what is stopping malware from doing it?

          1. 15

            Likewise if Edge can bypass the mechanisms in the background, what’s stopping malware from doing it? Or apparently Firefox 😆😭

            1. 4

              Yep. I’m in a slightly weird position here: I think Microsoft is right to lock down that API; I just think they’re wrong for unlocking it for Edge. So I’d prefer neither Mozilla nor Edge could pull this stunt.

              1. 2

                Theoretically the mechanism could check that the software performing the bypass comes from microsoft (via cryptographic signature) and is therefore “safe”. It is possible for microsoft to allow Edge to bypass it and nothing else.

                I’m actually sort of surprised they didn’t, but I guess doing it properly would have taken more work.

                1. 2

                  Or perhaps it was a silent protest by the engineers involved to allow firefox to do this.

              2. 6

                Nothing, of course, which isn’t too surprising, as this is pretty unlikely to have ever been about malware in the first place. If it had been, we’d have seen a real, secure API exposed to developers, whereas this is barely security by obscurity.

                1. 4

                  Nothing is stopping malware engineers from adding associations; SetUserFTA has been available for years.

            1. 2

              What are the security implications?

              1. 7

                No new implications. The website executes code which you provide and executes it locally. You already trust it with externally provided code, so nothing changes.

                1. 3

                  In case Klipse would be used on a blogging platform like medium, it might allow a malicious blogger to run arbitrary code on a medium page. That’s why blogging platform forbids script tags et al… But on your own blog, there are no security issues.

                1. 5

                  Thanks for this! I appreciate emphasizing the overarching data architecture rather than the lower level programming paradigms used to implement the abstractions.

                  1. 1

                    Thanks for this!

                    1. 2

                      Wow, AI is getting real good, real fast.