Articles Tagged with "Browser Security"


From the Web

FireSheep

November 16, 2010 from: Rsnake's blog at ha.ckers.org

I [Rsnake] go back and forth on whether I think FireSheep is interesting or not. Clearly, it’s old technology re-hashed. But it is interesting not because it works, but that it surprises people that it works. We’ve been talking about these problems forever, and now companies are scrambling to protect themselves. I guess the threat isn’t real until every newbie on earth has access to the hack...

Comments  (0)


From the Web

Cooling Down the Firesheep

November 06, 2010 from: Mozilla Security Blog

There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such as Facebook and Twitter. While the developers chose to use the Firefox add-on API, the tool could have just as easily been written and distributed as a stand-alo...

Comments  (0)


From the Web

Least Common Denominator

October 23, 2010 from: Rsnake's blog at ha.ckers.org

While at Bluehat Jeremiah got a question from someone (I believe he worked at Opera) saying that even something as simple as turning off third party cookies will break things like Yandex. Jer had an amusing response which was, “What’s that?” followed by, “So you’re telling me I need to be less secure because someone else wants to go to a site that I’ve never heard of?”

Comments  (0)


From the Web

HTTP Strict Transport Security

October 06, 2010 from: Mozilla Security Blog

A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidifed into a draft spec for HTTP Strict Transport Security (HSTS) and we’ve landed support for it into our source tree. This means that HSTS will be shipped with Firefox 4, and will be deployed as soon as the next beta release.

Comments  (0)


From the Web

Browser Differences, Minutia Et Al…

September 10, 2010 from: Rsnake's blog at ha.ckers.org

Browser security often turns into a religious war amongst technologists, instead of thinking about it pragmatically. What are the real motives of the companies that are developing the browsers? In most cases they care primarily about market share because market share makes them money (through search engine agreements, and so on).

Comments  (0)


From the Web

CSRF Isn’t A Big Deal - Duh!

April 14, 2010 from: Rsnake's blog at ha.ckers.org

Did you hear the news? CSRF isn’t a big deal. I just got the memo too! There were a few posts pointing me to an article on the fact that CSRF isn’t that big of a deal. Fear not, I am here to lay the smack down on this foolishness. To be fair, I have no idea who this guy is, and maybe he’s great at other forms of hacking - web applications just don’t happen to be his strong ...

Comments  (3)


From the Web

Mozilla Plans Fix for CSS History Hack

March 31, 2010 from: Rsnake's blog at ha.ckers.org

The CSS history hack is soon going to close. If you look at the original Bugzilla thread this is something that Mozilla had marked as a P1 bug since 2002. You heard me right, this P1 bug has been open for 8 years. And here we are, on the cusp of an actual fix.

Comments  (0)


From the Web

Mozilla - Plugging the CSS History Leak

March 31, 2010 from: Mozilla Security Blog

From the Mozilla Security Blog - We’re close to landing some changes in the Firefox development tree that will fix a privacy leak that browsers have been struggling with for some time. We’re really excited about this fix, we hope other browsers will follow suit. It’s a tough problem to fix, though, so I’d like to describe how we ended up with this approach.

Comments  (1)


From the Web

Phishing With Google Wave

February 10, 2010 from: Rsnake's blog at ha.ckers.org

...a good article on how to phish Google Wave users using malicious gadgets. This is precisely what Tom Stracener and I were talking about in our presentation at DefCon and Blackhat a few years back - except this is for Wave instead of iGoogle. Either way the point is the same - when you let other people control content that is embedded in your site, you are at the mercy of whatever they chose to ...

Comments  (0)


From the Web

Fixing security holes without introducing new bugs

February 10, 2010 from: Mozilla Security Blog

When fixing any bug, there is a risk of introducing new bugs, which we call regressions. Regressions caused by security fixes can be especially problematic because shipping a buggy security update can erode user trust for future updates.

Comments  (0)


From the Web

A Glimpse Into the Future of Browser Security

September 30, 2009 from: Mozilla Security Blog

As we mentioned earlier we’ve been working for the past few months on turning the Content Security Policy specification into working Firefox code. (You’ll remember that CSP is a framework to protect websites from XSS and related attacks). We are happy to report that the work is nearly finished, and we have some preview builds available for you to try out.

Comments  (0)