
Mitigating MIME Confusion Attacks in Firefox - robin_reala
https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/
======
avian
1) adopt a standard for specifying MIME type.

2) realize people are not using the standard correctly, disregard the
specified type and auto-detect the type.

3) realize this creates a security problem, adopt a new standard that adds a
stronger MIME type specification.

4) go to 2)

~~~
Arnavion
nosniff is opt-in for websites that want the security benefit. If they do that
and still irresponsibly send the wrong content type then I can't sympathize
with them.

------
zeveb
> While MIME sniffing increases the web experience for the majority of users,

What does 'increases the web experience' even _mean_? Using a phrase like that
is clear evidence of confusion.

Browsers should obey the media type they receive, per the context in which
they receive it; content-sniffing is just _wrong_.

Yeah, it means that the brokenness of broken sites will be made evident to
users. Broken sites are broken, news at 11.

~~~
drdaeman
It's all based on idea that users want sites that are broken beyond repair to
still magically work - because _user experience_.

And that's the story how we stuck with a giant pile of hacks the modern web
is.

~~~
gsnedders
Every single browser vendor has exit polling showing websites being broken is
one of the top reasons for users changing browser. This isn't some idea, we
have solid data that breaking stuff just causes users to move to a browser
where the site works.

~~~
jhatax
This.

Most users do not think that their favorite website is broken; the believe the
browser is at fault. Therefore, they find a browser that renders said website
correctly and stick with it. The problems are manifold, and it's the browser
that supports both the standard and many non-standard ways of describing
content that wins out: Chrome today; IE before the "second coming of web
browsers".

~~~
gsnedders
And if every browser breaks it, you find an old browser that it works with and
stick to that forever, which is _really_ bad for everyone.

~~~
drdaeman
Is this also backed by research?

Because I sort of doubt this. An old browsers become a nuisance quite fast,
with "sorry, you need a browser that supports $feature and yours doesn't".
Well, I mean, I had to stick with 2 years old browser for some time and this
certainly wasn't a good UX.

------
Pxtl
That still seems overly specific in that the content server must opt-in by
using nosniff, but I guess that's the reality of backwards-compatibility.

------
_RPM
I remember trying to explain that checking the file extension of a file
doesn't mean that it is actually an "image" file. I was an intern at my first
internship, but wasn't taken seriously when I proposed [to the senior dev]
that we do actual file validation (bytes) and not just extension validation
for the uploaded images. Yes, it would take more time. But, since I was just
low on the pole, I think I wasn't taken seriously.

Also maybe it wasn't my place to suggest design solutions, and or my approach
wasn't as good as it should have been.

~~~
Flimm
What Mozilla is proposing here is that metadata (the mime header if not the
filename) is respected and guessing based on the contents is eliminated. So
the proposal is more similar to your professor's idea than to yours.

------
revelation
So this is a hack in the browser to fix a security problem in the server. And
it requires the same server to send an additional header.

I wonder if they ever evaluate the effectiveness of their work over there at
Mozilla.

~~~
hannob
This is not a mozilla invention. The only thing Mozilla should be ciriticzed
for is that they are the last implementing this. All other browsers already
support this header.

It's a bad situation, but it's based on bad decisions that were made in the
90s when the web was in its early days ("be liberal what you accept"). Hard to
fix in a general way without breaking lots of stuff.

