Because pretty much all the browsers, on a better-than-quarterly basis, fall victim to attacks that allow arbitrary web pages to upload code into their processes and run it.
Just not sure this needed the "attack class" name.
> Just not sure this needed the "attack class" name.
You are being too generous.
By default, all web browsers ALLOW execution of ALL code encountered
hidden and/or transparent elements ENABLES clickjacking by default.
In other words, the fundamental design is flawed, and it remains flawed
because of vested interests. Most argue the risks are worth the rewards,
and anyone who disagrees is promptly told that their tin foil hat is on
so tight that it's cutting off their circulation.
We both know what would happen to said person.
EDIT: Getting down-voted for just stating the underlying problem on HN doesn't bode well for HN as a community.
That's the real point.
When a friend tells me I'm trolling, even unintentionally trolling, and
even if it was expressed through a fallacious argument, it's time to
stop and rethink. Something is definitely wrong.
I seriously thought about just dropping this, not responding and letting
this thread die of natural causes. But I would be setting a bad example
by doing nothing, or taking it privately to email. $DIETY knows HN needs
more good examples of responding properly under pressure on contentious
issues, and with some luck and effort, I'll hopefully write one.
It seems tptacek meant "Web-as-we-know-it" but I really do get his
point; people are now accustomed to executing code from any source via
outdated, curmudgeonly views have never agreed with the idea of
executing code from any source. I am undoubtedly a minority.
The problem is, why is it such a terrible sin to question if the risks
are worth the rewards, voice flaws in the design, and try to look for
better alternatives? --In other words, why is everyone forced to accept
the "as-we-know-it" part without question?
Wanting to improve the as-we-know-it is vastly different from wanting to
abandon everything. I'm always in favor of trying to improve the status
quo. I know for certain the same is true for tptacek and although I
don't know him, I'd bet the same is true for daeken.
It's safe to say all of us "violently agree" that there is no such thing
as perfectly secure code, and it makes no difference if the code is only
handling data or if it is attempting to execute other code in a
overwhelmingly vast majority of people have a vested interest in
It won't be abandoned overnight. Similar is true for other problematic
aspects of the web including CSS and frames. In short, there is a damn
good reason why unpopular views are very unpopular --Billions (if not
more) of investment would be lost if these things were abandoned.
With all of that said, browser exploits are painfully common. If you
reread tptacek original comment:
> Because pretty much all the browsers, on a better-than-quarterly
basis, fall victim to attacks that allow arbitrary web pages to upload
code into their processes and run it. Just not sure this needed the
"attack class" name.
you can see browser exploits happens regularly enough to cause
significant damages, but even mentioning the underlying problems results
in, "You're trolling... Internet-as-we-know-it... no shit." and
similar. It doesn't need to be that way, but around here, it almost
always happens. The very idea of finding something better than the
intimidating and unreasonable for most people. If you make your living
what would happen if it suddenly stopped working at 3pm tomorrow. When
an idea contrary to the status quo is voiced, many people succumb to the
irrational thinking of a sudden change and the associated irrational
The reasonable man adapts himself to the world. The unreasonable
man persists in trying to adapt the world to himself. Therefore,
all progress depends on the unreasonable man.
-- George Bernard Shaw
If you can't talk about a problem, then you have a bigger problem.
"This site has been disabled for violations of our Terms of Service. If you feel this disabling was in error, please fill out our appeal form."
Apropos little: UNC path filtering is something the Rails generation of webdevs have a bad habit over overlooking.
If it's a targeted attack I suppose you have a better shot, are most home windows user names set to the user's full name like "John Doe"?
It's clever! I don't want to take anything away from it, except that I think it's been written up somewhat breathlessly.
Grossman probably has a good point that most applications aren't even superficially protected against clickjacking, and so this isn't going to be a common attack any time soon.
Did he give Microsoft a head's up about these and a chance to respond before going public? Or does he just give a conference talk and post it to his blog, potentially providing the information allowing thousands of browsers to get compromised (assuming they weren't already) before privately letting Microsoft get a chance to patch it?
But I do hope that he told Microsoft before the world.
The state of security is becoming an over-hyped sideshow of late where the most trivial attacks, which would work maybe 1% of the time in the wild, are getting mass exposure.
I have a 0day in RHEL 5, you simply need to log onto the machine as root and run this script...
Because it doesn't. The attack involves using a bug in IE (an iframe will render cookie data from the local computer) with clickjacking to steal cookie information. Sniffing on port 445 is only mentioned in the context of figuring out the username of your target (by causing the target to connect to your SMB server, running on port 445).
I'd suggest you go back and re-read the whole page before making sweeping generalizations.
Hmm, because port 445 is not port 443?