> of creating a > full-featured > browser, from scratch, with usability as good as IE > and Firefox > strikes me as a fairly tricky project.
I agree. > What about > using the > facilities already provided by the OS to enforce the > sandbox? But then will it be possible to prevent buffer overflows, still running on unmanaged code? Very nice points by Dinis, esp. the one about the "advantages" of using our boxes with less privileges (for internet browsing). -pilon --- Brian Eaton <[EMAIL PROTECTED]> wrote: > On 3/25/06, Dinis Cruz <[EMAIL PROTECTED]> wrote: > > 4) Finally, isn't the solution for the creation of > secure and > > trustworthy Internet Browsing environments the > development of browsers > > written in 100% managed and verifiable code, which > execute on a secure > > and very restricted Partially Trusted > Environments? (under .Net, Mono or > > Java). This way, the risk of buffer overflows will > be very limited, and > > when logic or authorization vulnerabilities are > discovered in this > > 'Partially Trusted IE' the 'Secure Partially > Trusted environment' will > > limit what the malicious code (i.e. the exploit) > can do. > > I am less than enthusiastic about most of the > desktop java > applications I use. They are, for the most part, > sluggish, memory > gobbling beasts, prone to disintegration if I look > at them cross-eyed > or click the mouse too frequently. > > Usability problems with java applications are not > necessarily due to > managed code, of course, but the idea of creating a > full-featured > browser, from scratch, with usability as good as IE > and Firefox > strikes me as a fairly tricky project. What about > using the > facilities already provided by the OS to enforce the > sandbox? Rather > than scrapping the existing codebases, start running > them with > restricted rights. Use mandatory access control > systems to make sure > the browser doesn't overstep its bounds. > > Regards, > Brian > > ------------------------------------------------------------------------- > This List Sponsored by: SpiDynamics > > ALERT: "How A Hacker Launches A Web Application > Attack!" > Step-by-Step - SPI Dynamics White Paper > Learn how to defend against Web Application Attacks > with real-world > examples of recent hacking methods such as: SQL > Injection, Cross Site > Scripting and Parameter Manipulation > > https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl > -------------------------------------------------------------------------- > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
