[cap-talk] least authority - why flames
Sam Mason
sam at samason.me.uk
Tue Jan 23 10:09:37 CST 2007
On Tue, Jan 23, 2007 at 04:15:36PM +0100, Pierre THIERRY wrote:
> Scribit David Wagner dies 22/01/2007 hora 13:18:
> > The Firefox example is a terrible one for POLA, because Internet
> > browsers are used to do far many tasks. I suspect Internet browsers
> > come close to being about the hardest example one could choose, in
> > terms of POLA.
>
> Indeed, a Web browser would only be fully working if it has authority to
> create TCP connections to any host and to any port. But it has very
> limited needs as far as read/write access to local disk is concerned.
>
> Even for such a challenging application, there could be interesting
> techniques to restrict it's authority in a more fined grained yet user
> friendly way.
>
> Users could declare their level of paranoia. At a high level, user could
> be asked to point at the address bar of it's browser, and the system
> could monitor that text field and maybe incoming HTML data to know where
> the browser should reasonably get connections established (if the URL
> typed is http://192.168.1.1:8080/, it's reasonable to only add this
> address/port pair to a whitelist).
Sounds like you've just replaced one problem with another (harder?)
problem. How do you know when to remove address from this white-list?
can white-listed sites access other white-listed sites content? what
if the page tries to get an image from http://192.168.1.1:25/ (which
happens to fail!) a script in the page then connects to that site and
starts sending spam to it?
I think the main problem is that current web browsers have lots
of bits that could reasonably be broken out into several seperate
processes, some being trusted more than others, i.e. the HTTP client,
the HTML renderer, the user interface. Things like Flash should fit in
reasonably easily, but things like scripting languages would be fun!
Sam
More information about the cap-talk
mailing list