Legal implications of security research

The Chilling Effect is quite interesting read (yes, the article is a few months old but I only discovered it now). It shows nicely how security research on web applications is different from research on software you install on your computer. It also shows why responsible disclosure of vulnerabilities is so rare in this field. I also find it very interesting how it explains that most software is of a low quality.

Java and Firefox memory usage

I have been using Sun’s old Java 1.5.0_06 runtime for quite a while, there simply wasn’t a good reason to waste time updating it. When investigating a Java-related crash I decided to check whether it will happen with a newer runtime (1.6.0-b105 was current at that time). Surprisingly, the crash disappeared even though this crash happened in Gecko code and not in the Java plugin.

But what I find more interesting is the change in Firefox’ memory usage I observe since that update. Previously Firefox would use 250 MB of memory after a few hours. It wouldn’t change much after that, only after a week or two the memory usage would climb to 350 MB. Now with a current Java version the usual numbers for Firefox are 150 MB reserved memory and below. After using it for over a week without restarting I still saw only 190 MB.

Usability vs. Security

Disclamer: This post is only about using NoScript as a security solution, not as a way to block annoyances.

It seems that me pointing out the fundamental flaw in NoScript only inspired another round of madness — that’s the only name I can find for it. Giorgio Maone has developed a solution that will effectively stop untrusted sites from injecting JavaScript through XSS holes in whitelisted sites. He is currently testing it with a development build and from what I can tell it mostly holds what it promises. Is that an achievement? Giorgio has obviously put much thought into this feature but I still have to say: no.

Encouraging innovation

I had to laugh out loudly on this one. The IEBlog announces the winners of the IE Add-ons Contest. Guess who won the Grand Prize? Apparently it is a great Internet Explorer add-on called “Inline Search”:

Inline Search provides a way to search for content on a webpage without bringing up the Find Dialog. It incorporates find as you type, highlights search terms and has several other really useful features!

Blacklists, whitelists, and security

I had a lengthy discussion with Giorgio Maone (author of the NoScript extension) about what is a security solution and what isn’t. Starting point was my statement that, while being excellent for getting rid of annoyances, neither Adblock Plus nor NoScript are really security solutions. Both have the potential, so why not?

Let’s look at the easier case first: Adblock Plus. Adblock Plus is structured as a blacklist, you usually specify the addresses that you don’t want to load. So if there is a security issue that can be solved by blocking a certain address you will have to add a filter for this address. Requiring an action for each single vulnerability discovered disqualifies Adblock Plus, a real security solution would need to block everything unless explicitly allowed. Right now only the extremely rare case of malware-infested ads would be blocked by default however.

Why “Save Page As HTML, complete” sucks

I read a forum question from an Opera user who was upset because Opera 9.10 now saves web pages “like IE and Firefox” – meaning saving them with all the included files. His problem was easily solved with a configuration change but it got me thinking. Generally this doesn’t seem to be such a bad idea, it allows you to open a saved web page and it will look exactly the same. So I tried to understand why this user was so upset and why I almost never use this feature myself. It seems there are three things.

Getting back to Oslo

I already left Darmstadt and I am on my way back to Oslo now. The unpleasant surprise is that Germanwings no longer flies to Oslo. I have no idea why they stopped serving this direction in the middle of the season — I couldn’t find it mentioned anywhere, there are just no more flights between Cologne and Oslo (the webpages of both airports confirm this so this isn’t a glitch in Germanwings’ database). That means that I will fly from Düsseldorf with Norwegian which is slightly less convenient. But at least I will spend a few more days in Cologne.

I have to be finished with my PhD in two months, so I guess I will be very busy now. Don’t expect to see much Adblock Plus progress during this time and I probably won’t look at the forum all too often. As usually, anything urgent is better sent with a mail directly to me. I cannot promise a fast reply but I will look at it.

Running a web server is dangerous

I guess some of you run a web server. Maybe you have noticed entries like this one in your logs:

"GET /forum/admin/admin_styles.php?phpbb_root_path=\r HTTP/1.1" 302 5 "-" "-"

What is this about? In this particular case somebody tried to use a security hole in an older phpBB version to execute PHP code loaded from another server. I had several hundreds of entries like this one in the last month, targeting vulnerabilities in all kinds of PHP scripts (most of which are not even installed here). The attackers tried to install backdoors, defacement tools or in one case a simple script to send all e-mail addresses from the local phpBB installation to its owner. The requests are usually done by other web servers, I guess those have the backdoor already installed (a botnet).

Speaking of IE security…

I recently linked to an article stating that users of Internet Explorer have been exposed to known critical vulnerabilities for 284 days last year. That sounds bad enough but unfortunately it is not all. For example I came across a vulnerability in Internet Explorer that has been ranked “Less critical” for reasons I don’t understand. What this does — it basically eliminates same-origin checks, any web site can read contents of another site. I put up an example that can check whether you are logged in on Google or Yahoo and read out your user name — provided that you use Internet Explorer. It could just as well read out your mail or change your mail password. It could also go into your banking account if you happen to be logged in. Information on this vulnerability has been published April last year and still unpatched in both Internet Explorer 6.0 and 7.0.