rene...

the scenario that i'm envisioning could very well cause people to get
ticked. but i also can easily see financial institutions starting to tell
their customers, that unless your system is of a certain level, or running a
certain kind of browser, that you'll get charged more to do business with
them...

security is an issue, and it's going to get larger. and that will require
thinking about the user/client's setup..

if i as a bank, refuse to allow you to signin to my server, because i detect
that your client is not valid/legitimate, meaning i think it's been hacked,
how have i trampled the rights of anyone. i haven't. will some customers
run, sure.. perhaps.. will i potentially feel better. yeah. will i
potentially have something that i can promote as an extra level of security
that others don't have, maybe..

let people continue to read/hear about massive losses of data and see what
happens...

rene, you also have to understand, i'm not trying to determine if the user's
entire system is 'clean/valid'. i'd settle for a way of knowing that the
browser/client that i'm talking to is legitimate!!

-bruce



-----Original Message-----
From: Rene Brehmer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 21, 2005 3:18 PM
To: php-general@lists.php.net
Subject: Re: [PHP] Re: security question...??


Documented research indicate that on Tue, 21 Jun 2005 13:37:50 -0700,
"bruce" wrote:

> chris...
>
> what you state is true at the extreme... but in the case of an client app,
i
> could already extract information about the various apps that make up the
> client.. ie if, as in the case of IE, I was able to get information from
the
> IE browser about various dlls that make up the browser. if these pieces of
> information correclt match what msoft would state should be there, then i
> could assume that the app was/is legitimate.

BUT: That would mean that you can't take into account any plugins or
extensions the user might install. And the security leak you're afraid of
might not even be IN the browser program used. It might as well be a packet
sniffer on the outside of the user's firewall ...

> and here's why. while you may not give a damm, there will be a growing
> chorus of people who'll want to know that the developers/sites are doing
> everything they can to ensure the safety of the entire transaction. in
fact,
> i'm willing to bet that somehting like what i've been discussing will be
> delivered, and promoted as a security/selling point...

I think it's more a matter of education and morale than anything else. You
can't take responsibility for all clients not screwing up their own system.
You just have to hope and trust, that when you tell your users to use this
and that browser, and take this and that precaution, that they actually do
it, and not install a whole bunch of crap that creates a security problem.

What you're asking for is basically a way to control what users do on their
own computers, and refuse them if you don't like what they've done. It's
not very short of invasion of privacy. Electronic Arts already do that with
their games (spy on your computer without your permission, and the refuse
you to play the game you legally paid for, because you have other legally
paid programs that they don't approve of).

What you can do however, is to develop an app that can run a security test
locally on the user's computer, and have that app sign off on the user
being safe enough for you to want to deal with him. And then force them to
regularly have to do that again. But I'm telling you, the more troublesome
you make it for your users to use your stuff, the more users you'll loose,
and fast. Mostly thanks to MS and Apple, computer users today know very
little about their computers, or how they work, or how they protect
themselves, and we teach them that they should all and anything that comes
their way. So it's continuingly limited what you can actually ask a
computer user to put up with, they'll just go somewhere else that's less
hazzlesome (that's the whole reason the majority use IE: It's there, it's
easy to use, it gets the job done, and it doesn't complain a whole lot).
The majority of end-users don't care, or know, or understand, simple
security precautions when it comes to network traffic.

Education and discipline is, in the end, the only means to achieve what you
want.

/rambling off
--
Rene Brehmer
aka Metalbunny

We have nothing to fear from free speech and free information on the
Internet, but pop-up advertising!

http://metalbunny.net/
My little mess of things...

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to