Ben Bucksch wrote:
1. It does indeed give attackers an advantage to know which security
holes I am vulnerable to. [...]
True, a well-written attack could use rendering engine feature changes
to detect the version. But not all security updates are detectable like
that, hopefully very few in fact,
I'm not so sure. Emergency updates correct only one bug, but other
updates correct a bunch of stuff, and some of which whilst not being
very critical can be easy to detect, I think mfsa2010-63, mfsa2010-46
are probably in that case.
You end up getting a small windows of versions quite easily.
and that needs client-side code that makes things more detectable again.
I think that's the part of what you say that makes sense the most but,
wasn't the plan at one time to remove identification from User-Agent,
and leave it available only from javascript ?
If you can run js on the browser, and are very sophisticated, you have a
large windows of opportunities for detecting the version from the
behavior in a way that is really hard to detect.
2. Don't conclude from current attacks. Just because current attacks
> don't do A today doesn't mean it's neglectable.
I don't believe that's really what was done here.
And whilst it's useful to think of possible future attack in order to be
a step ahead, it's not very useful to invest a lot of energy to prevent
an attack that might never materialize (the strongest reason why it's so
is that attackers will often find a smart way to completely avoid the
Maginot line you spent a lot of time building). So it fully makes sense
to first and foremost protect against the attacks that *do* exist.
A point to take into account also is that the kind of attacker you
consider here is very dedicated and can spend quite a lot of money if
needed. So they are quite likely to buy a zero-day vulnerability from
the black market, and those by nature tends to work on all the minor
version (those that don't are mostly those that have been /introduced/
by a security fix, and fortunately they are not too frequent).
Case in point : the zero-day IE flaw attack against Google.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
