[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iceweasel updates

On Tue 03 Nov 2015 at 02:57:47 +0100, Vincent Lefevre wrote:

> On 2015-11-02 22:53:03 +0000, Brian wrote:
> > An attacker must inject a payload into a web page that the user visits.
> > When the page loads in the user’s browser the attacker’s payload will
> > be executed. A user would likely have no knowledge of this, irrespective
> > of whatever browser or user-agent string is being used.
> > 
> > Without the payload (which the bank's site has delivered) the security
> > of the browser is not compromised. If a password were to be obtained the
> > bank is complicit in the action. I expect they would take responsibilty
> > for this.
> If the attack is due to a vulnerability in the user's browser and
> this browser is blocked by the bank because it is old and no longer
> maintained (thus may have known, unfixed vulnerabilities), the user
> would be fully responsible. Actually it is the responsibility of
> the user to update his software, but bypassing the bank's security
> mechanisms makes him even more responsible.

The contention is that overriding a bank security decision and altering
the user-agent string is unwise and not to be recommended.

Access to digital banking at RBS and Natwest in the UK is allowed only
when the string "Firefox" is found. Many years ago I used to add it
myself to what Iceweasel sent. Nowadays there is no need to do that
because "Firefox" has been added to the user-agent in the Iceweasel
package (bug #399633).

Who is now responsible for bypassing these banks security mechanisms?
Should a user remove "Firefox" from the user-agent to protect himself
and comply with the supported browser policy of the banks?

Reply to: