Importance of browser security (was: On Mozilla-* updates)
Stefano Salvi wrote:
I prefer to have no X on the server and administer it from command
line or Web interfaces (command line is better).
Let's say
1. You use Mozilla from sarge
2. Somebody cracks you through known holes in that old Mozilla,
either a mass exploit or an enemy of you specifically targetting
you. Which is probably the easiest way to attack you, through all
firewalls. So much for browser/email security.
3. He controls your desktop
4. He downloads all your local mail and photos/images, including your
confidental company mail, private mail and nude photos of your
girlfriend. He posts it on the Internet, your company's billboard,
and your supermarket's billboard.
5. He also installs a keyboard sniffer and downloads your private SSH
keys.
6. He logs into all servers and other computers that you have access
to. Including those desktops of your friends, which you remote
administrate or use the password that they use for your server.
And the attacker goes on from there. So much for desktop/server
security.
7. One of your friends did things which are strictly legal, but your
boss didn't like it at all, and fired him. Another one happened to
be a dissident and gets in jail or maybe shot. So much for
efficiency (this has nothing to do with efficiency).
8. Because all this costs some time, the attacker needs to live, too.
He drafts your bank accounts and those of your friends as a fair
compensation. The Half Life 2 source code got indeed stolen via
desktop compromitation, too. But all that is insignificant in
comparison to your dead friend.
That's what's at stake here.
I don't care, if a Mozilla security update breaks some badly written
extensions. And if it breaks Galeon's print function, so be it, you can
still use Mozilla in this rare case. But there's *no* recovery from a
bad breakin.
Reply to: