In bug <https://bugzilla.mozilla.org/show_bug.cgi?id=572659>, I argued
that I'd be better to hide the minor version. If don't run the very
latest minor version, I am basically advertising to the world that I am
vulnerable. I argued that this is not a good idea.
I was immediately countered with "security by obscurity". I replied:
"security through obscurity" means that you leave security holes open in
the hope that nobody will discover them. In other words, obscurity is no
*replacement* for security. However, obscurity can indeed help as an
*added* bonus, everything else being equal. I argue that not openly
advertising which security holes you are vulnerable to (given that the
UA string decision will not affect user update decisions, i.e. security
doesn't change) is an "added bonus".
dveditz wrote that "apparently "the stupid way" is good enough in all
the attacks I've investigated."
I wrote: "I ... don't think that whether attackers use it today or not
is an overriding reason, just that it's possible and would help them
avoid unnecessary detection."
Right that seems to have happened now, with stuxnet. It's a worm
attacking industrial systems (so not directly relevant to us), and
apparently targeting Iranian nuclear facilities. An article writes:
"The stuxnet software is exceptionally well written, it makes very very
sure that nothing crashes, no outward signs of the infection can be seen
and, above all, it makes pretty sure that its final payload, which
manipulates parameters and code in the SPS computer is only executed if
it is very certain to be on the right system. In other words: it is
extremly targeted and constructed and build to be as side-effect free as
humanly possible"
Two lessons, IMHO:
1. It does indeed give attackers an advantage to know which security
holes I am vulnerable to. IMHO, that makes advertising the minor version
dangerous in a way.
True, a well-written attack could use rendering engine feature changes
to detect the version. But not all security updates are detectable like
that, hopefully very few in fact, and that needs client-side code that
makes things more detectable again.
2. Don't conclude from current attacks. Just because current attacks
don't do A today doesn't mean it's neglectable. In fact, that's where
the worst security holes come from.
Ben
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
