Re: Importance of browser security (was: On Mozilla-* updates)
Am Dienstag, 2. August 2005 10:57 schrieb Ben Bucksch:
> Stefano Salvi wrote:
> > I prefer to have no X on the server and administer it from command
> > line or Web interfaces (command line is better).
> Let's say
> 1. You use Mozilla from sarge
> 2. Somebody cracks you through known holes in that old Mozilla,
> either a mass exploit or an enemy of you specifically targetting
> you. Which is probably the easiest way to attack you, through all
> firewalls. So much for browser/email security.
> 3. He controls your desktop
> 4. He downloads all your local mail and photos/images, including your
> confidental company mail, private mail and nude photos of your
> girlfriend. He posts it on the Internet, your company's billboard,
> and your supermarket's billboard.
Eh - no.
Linux allows you to start two different XServers on two different screens (or
on the same) with two different user-id's on two virtually or physically
seperated Systems. As you can see, only fools make this mistake.
> 5. He also installs a keyboard sniffer and downloads your private SSH
Rubbish - if seperated correctly.
> 6. He logs into all servers and other computers that you have access
> to. Including those desktops of your friends, which you remote
> administrate or use the password that they use for your server.
> And the attacker goes on from there. So much for desktop/server
You are describing the general results of trojan attacks - but to be honest -
if it's getting personal, there are other ways to comprise machines. I've
done some test: Who on my instant messaging list will execute a signed
Java-Applet without asking me for further information.
No one asked my what this applet was doing. Everyone got his c:\test.txt
saying "This was foolish" (Or /home/usr/C:\test.txt).
But in order to make this a server issue, you have to be foolish.