Mark Baker wrote:
I thought I'd respond to this, since it's important and it reflects an
unfortunately common theme found in some recent attempts to improve
the Web (e.g. HTML5 & content type sniffing).
On 2/20/08, Jonas Sicking <[EMAIL PROTECTED]> wrote:
> Also, I have no pity for any Web admin who suffers harm as a direct
> result of permitting badly designed Web apps to be deployed on their
> servers.
I guess that is where we are different. I try to protect the people that
are currently deploying websites. As best I can. Not just the people
that perfectly follow all specs and know all the latest and greatest
security recommendations.
By not following specs, they're not playing by the same rules that the
rest of the world has agreed to play by. You don't change the rules
just because a minority violate them. You educate the minority so
that they understand the problems they've created for themselves, and
appreciate the value in fixing their mistakes.
The "people should be smarter" fix is a very tempting one, but generally
doesn't work. It's hard to make people smarter.
Lets take CSRF as an example. CSRF issues are very common today. Loads
of sites are vulnerable to it. Word is definitely spreading about the
problem and more and more sites get fixed. But there are also more and
more sites popping up every day so I'm not convinced that the number of
vulnerable sites is actually decreasing.
Sure, you could say "it's the sites fault, they can protect themselves",
and while that is true that doesn't change the fact that they don't and
as a result the internet is a less secure place.
Ideally I would like to disable the ability to do cross site <post>s
unless the target site opts in (using for example the Access-Control
spec). The two reasons we don't make that change in mozilla is that:
1. It would break the web
2. Old deployed browsers still are allowing cross-site POSTs and so
changing the model in a new browser invites a false sense of
security.
My point is that just blaming people for not being smart enough is not
very productive.
Otherwise, over the
long term, entropy would win and eventually kill interoperability, or
at least greatly increase the barrier to entry for new players.
That's behaviour I'd expect of monopolists, not Google, Mozilla or
Opera.
I'd rather say that saying "only smart people are allowed to deploy
websites" is monopolistic and will discourage the open web we have today.
/ Jonas
