New Firefox security technology blocks Web attacks, Mozilla claims (opens in new tab)

(computerworld.com)

12 pointsksvs16y ago19 comments

19 comments

ax0n16y ago

Up next: New attack bypasses Firefox security technology, security researcher claims.

I do infosec for a living. I can say with 100% certainty that the good guys are in a constant state of playing catch-up with the bad guys. The only thing we can hope for is to minimize the amount of time that serious vulnerabilities remain exposed, in hopes that it's fixed before someone creates yet another point-and-crack tool for the skiddies.

tptacek16y ago

Without saying why CSP is particularly susceptable to cat-and-mouse attacks, this comment doesn't have a lot of content. Do you have more thoughts to share about it?

ax0n16y ago

Some big problems: It requires people to use firefox or for other vendors to adopt CSP, and it only works for sites that integrate it. Until it comes under attack, it's hard to say whether or not it'll fall victim to the cat-and-mouse thing or simply fail to gain traction. I haven't seen CSP in action, so my comment was tongue-in-cheek.

tptacek16y ago

I don't really get CSP. Without changing anything in the browser, application developers --- the only people who can really use CSP --- can already create policies that say where dynamic code should or shouldn't be allowed.

The problem is that modern web apps are riddled with places that need enough dynamicism that blunt filtering won't work.

jfager16y ago

I don't think I understand what you're objecting to. The way I read it, CSP is lock-down by default (if the header is sent across to opt into it), with the application developer being responsible for providing a whitelist of where code and data can be loaded from. How can you do something similar today without still taking care to escape all inputs, etc.?

http://people.mozilla.org/~bsterne/content-security-policy/d...

tptacek16y ago

The libraries people use to "escape all inputs, etc" are providing effectively the same functionality as CSP is, but that's not my real concern.

My real concern is, despite the fact that developers have the ability to set policies about what regions on the page can contain dynamic content, "policy" is generally too brittle to describe what people need to put on pages in real-world apps.

2 more replies

ax0n16y ago

Also, it seems Computerworld believes it's similar to NoScript (which I use) whereas it really seems more like RequestPolicy (which I also use, but wouldn't wish upon anyone that's not equal parts sophisticated and paranoid)

ajju16y ago

Speaking of Mozilla security what is ex-Mozilla security chief Window Snyder upto? IIRC she used to work for Matasano previously but if she has started a new startup I'd like to keep an eye on that!

tptacek16y ago

She'll be out here in a week for our crypto-for-penetration-testers class, so I'm happy to ask her.

j / k navigate · click thread line to collapse

19 comments

ax0n16y ago

Up next: New attack bypasses Firefox security technology, security researcher claims.

tptacek16y ago

Without saying why CSP is particularly susceptable to cat-and-mouse attacks, this comment doesn't have a lot of content. Do you have more thoughts to share about it?

ax0n16y ago

tptacek16y ago

The problem is that modern web apps are riddled with places that need enough dynamicism that blunt filtering won't work.

jfager16y ago

http://people.mozilla.org/~bsterne/content-security-policy/d...

tptacek16y ago

The libraries people use to "escape all inputs, etc" are providing effectively the same functionality as CSP is, but that's not my real concern.

2 more replies

ax0n16y ago

ajju16y ago

Speaking of Mozilla security what is ex-Mozilla security chief Window Snyder upto? IIRC she used to work for Matasano previously but if she has started a new startup I'd like to keep an eye on that!

tptacek16y ago

She'll be out here in a week for our crypto-for-penetration-testers class, so I'm happy to ask her.

j / k navigate · click thread line to collapse