Re: So IE isn't a panacea
- From: "David W. Fenton" <dXXXfenton@xxxxxxxxxxxxxxxx>
- Date: Wed, 14 Sep 2005 23:06:56 -0500
"Danny J. Lesandrini" <dlesandrini@xxxxxxxxxxx> wrote in
news:vfadncGKz79cG7XeRVn-1g@xxxxxxxxxxx:
> David:
>
> Don't sugar-coat it ... tell us what you REALLY think of IE.
>
> You're probably correct about all of the observations you made,
> but I used IE because it's what I know, it's fast and easy. ASP
> pages are simple to churn out and is a technology I've been using
> for years.
>
> As for forcing the users to have IE, I'm not sure that it's such a
> big stretch. . .
Your missing the point -- every Windows user has IE. I said forcing
a *dependency* on IE on the end users. IE is a component of Windows
that is so intertwined with so many different subsystems and is a
huge security risk. Because of that it is constantly being patched
by Microsoft to try to rectify all the bugs and vulnerabilities in
it. By introducing a dependency on IE, you're exposing your users to
the risk of your app breaking if one of the frequent patches to IE
(or some Windows component that is related to IE) breaks the
functionality you're depending on.
> . . . Do Windows users really uninstall Internet Explorer
> when they install FireFox? No, it still sits there and my code
> merely employs (quietly, as you correctly observed) the libraries
> of IE that are already installed and registered on Windows.
I have IE blocked at my software firewall -- it can't connect to
anything not on my PC. I use it only for testing web pages.
> True, this doesn't mitigate any potential security holes, but the
> user never actually sees or loads the IE browser. Do _you_ know
> how one would leverage security flaws in this scenario? If you
> do, don't tell, but I suspect the process I described adds a layer
> of complexity to the hack so as to make it improbable, if not
> impossible.
I'm not saying your code is a security hole, but that depending on
IE introduces what I see as an un-needed outside dependency. I don't
like my apps to have outside dependencies, unless I am guarantee
that this dependency is stable. Standards not controlled by
Microsoft, or Windows APIs are stable, in mky opinion. You can count
on a URL being executed by whatever program a PC is set to use for
executing them. Windows APIs are stable and safe.
Anything else I see as questionable.
> But, what do I know. Not much, really. It's like SQL Injection
> on ASP pages. One person responded to one of my articles to say
> that they could use SQL Injection to wreak havoc on my database.
> Well, I didn't get angry or defensive, but I replied to him with a
> challenge to do it. I mean, if my code is vulnerable, then I want
> to know. He never replied, and my sites are safe to this day.
I don't know what SQL injection is, but if your code is vulnerable,
I'd fix it. I hear that a lot of people are having their websites'
contact forms hammered by scripts trying to see if they can exploit
them to spam. It's happening even to scripts that are invulnerable
to these kinds of exploits (if you're validating all of the data
that's going in the headers (e.g., using regular expressions) you're
safe). So, just because no one has done it yet doesn't mean that it
won't happen any time. If you know the vulnerability is there, you
ought to do what you can to remove it.
> My sites are safe, not because I am so brilliant that I devised a
> scheme to thwart SQL Injection, but because it's just not that
> easy to perpetrate. I've read the articles and tested the hacks
> on my own pages, and couldn't break my code. Again, not because
> of my great expertise or foresight, but because it's just not that
> easy to do.
Well, I don't know the details, but if I knew of an exploit, I'd be
sure to do what I could to prevent it.
> I suspect the same is true with Internet Explorer security holes
> ... and with the holes in EVERY other browser. . . .
But it's *not* the same. IE is much more insecure and much less
frequently patched than, say, Firefox. Go to Secunia.com and check
out the security reports on IE6.x and Firefox 1.x and look at the
number of vulnerabilities over time. Look at the number of ones
Secunia classifies as serious. Look at the number of unpatched
vulnerabilities, and check out how many are truly serious exploits.
Look at the amount of time it takes MS to patch vs. Firefox, and
you'll see that the two browsers are simply not comparable at all in
terms of vulnerability or responsiveness to fixing vulnerabilities.
> . . . The only reason
> that IE gets all the press is because it's everywhere and if I
> were a hacker, I wouldn't waste my time trying to beat a browser
> that has 7% of the market ... I'd go for the payoff.
IE gets the press because it's got more serious vulnerabilities and
because MS doesn't patch them.
Comnare the history and current status of the two vulnerabilities
listed on the Secunia front page. The IE exploit was announced Aug.
25th. MS's workaround makes IE virtually unusable (by giving you
lots of pop-up security confirmations to click through). The Firefox
vulnerability was announced on Sept. 6th and the Mozilla foundation
has released a patch that changes your configuration. It takes away
a small piece of functionality that very few people ever use. You
don't even need the patch -- you can easily change the setting
yourself.
> Now, I'm talking out of my hat here, so don't be rough on me if
> you feel the need to correct my thinking. This is how it all
> seems to me, based on my experience with web pages and databases
> over the last 5 years or so. I could be wrong, but I'm entitled
> to my opinion as much as the next coder.
Well, you're writing articles that advise other people on how to do
things. Just because it's cool doesn't mean it's advisable.
I especially think it's unwise to introduce outside dependencies
when there are alternative methods for accomplishing the same takss.
They might not be as slick, but if it make syour app more robust, I
can't see that there's a problem with that tradeoff.
--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
.
- References:
- shorten time to attempt to connect to back end
- From: Mike MacSween
- Re: shorten time to attempt to connect to back end
- From: Danny J. Lesandrini
- Re: shorten time to attempt to connect to back end
- From: David W. Fenton
- Re: So IE isn't a panacea
- From: Danny J. Lesandrini
- shorten time to attempt to connect to back end
- Prev by Date: Re: Converting positive number to negative number
- Next by Date: Re: shorten time to attempt to connect to back end
- Previous by thread: Re: OT: IE is the opposite of a panacea
- Next by thread: Re: shorten time to attempt to connect to back end
- Index(es):
Relevant Pages
|
