On Tue, 31 May 2022 03:17:52 +0100
mick crane <mick.crane@gmail.com> wrote:
regarding firewall discussion I'm uncertain how firewalls are
supposed to work.
I think the idea is that nothing is accepted unless it is in response
to a request.
What's to stop some spurious instructions being sent in response to
genuine request?
Nothing really, but the reply can only come from the site you made the
request to.
Don't connect to untrustworthy sites.
It is of course possible for a legitimate site to get hacked and some
malware embedded in its pages or linked from them, but that will
normally require JavaScript to run, and many people run browsers with
JS
disabled. It's quite rare for a professionally-run site to get defaced,
as the terminology has it, but there's no way I would run a
public-facing website, as I don't know enough to secure it (and I know
that I don't know enough).
There are other defences: use a proxy server which blocks anything
suspicious, and so on. We're into application-level firewalls here,
that actually parse the returned packets, beyond the scope of iptables
and the like.
Browsers usually have a number of configurations concerning third-party
content, as well as plugins such as No-Script for Firefox. But a
blanket ban on JS will result in many (most?) websites today not
working. I despair of the 'web designers' who cannot display a single
character on a user's browser without using JS.