Ben Bucksch wrote on 02.07.2015 12:52:
Gervase Markham wrote on 02.07.2015 11:48:
Surely the behaviour if the server goes down is to use the last known
good override set?
Right:
Fetch, verify, cache.
To expand: The verify step is important. We've had a phishing filter,
fed by our server. Server bug, unfortunate truncation, ended up with a
(syntactically valid, but wrong) rule to block URL prefix "http://w";.
Thus, we broke the browser.
Lesson learned: Anything that comes from a server must be sanity checked
with the highest scrutiny and mistrust. Syntax and security checks
(overflows, insecure URLs etc.) are just the first step, then there must
be sanity checks whether the rule makes sense in a practical way. Assume
the server is the most gifted and creative hacker, and protect against
him. That will also create *reliable* (not just secure) systems.
_______________________________________________
mobile-firefox-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/mobile-firefox-dev
