Bugtraq mailing list archives
Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer
From: der Mouse <mouse () Rodents Montreal QC CA>
Date: Wed, 11 Feb 2004 04:03:29 -0500 (EST)
That's not good enough. Sooner or later, the software industry is going to have to change and declare that "no warranty" software should be confined to isolated systems.
It is not the software industry's place to decide that; that is for software consumers to decide...or not.
Tell me, can you connect any random piece of hardware to your phone line, legally ?
I think so. Unless you consider telco tariffs "law", and possibly even then. (Of course, this will vary with jurisdiction.) At most, I may be liable for damages caused - but it's hard to hurt even the CO end of a POTS line; this is a system designed in the expectation of lightning strikes. Disrupting the phone system as a whole is even harder.
Why should you just be able to connect any random piece of hardware to the Internet ?
The Internet is an agglomeration of private networks. The phone system isn't, or at least isn't in the same sense. This is the whole common-carrier argument over again. If you think the net is going to turn into a common carrier, fine, that may be a defensible point of view, but you shouldn't argue from analogy that assumes it without making that assumption explicit.
Tell me, if that is put on the platter as being the cost of defeating worms that otherwise flood the Internet, can't you see most people being willing to sacrifice it ?
Yes, initially; I expect them to discover otherwise after they find out the consequences (and discovering also how hard it is to roll back such a change). I also fully expect that if "the Internet" is bludgeoned into common-carrier status, private - ie, unregulated - lines will promptly spring up in parallel with it (you _definitely_ can connect any old thing to a phone line, when it's a privately owned phone system (whose owner okays), rather than a common-carrier telco line)...and the common-carrier Internet will wither as the new, private-line, neo-Internet evolves back into more or less what we have.
And that of course begs the question, why should the rest of the world be expected to trust you ?My record, of course, same as anyone else "the rest of the world" is "expected to trust".That's meaingless and valueless if your software comes with a disclaimer that provides no warranty or guarantee.
I don't expect software to routinely come with warranty/guarantee in my lifetime or yours. If some government tries to mandate it, I believe that all that will happen is that software industry in the affected jurisdiction will wither and die. The state of the art is not yet to the point where such a thing is feasible, and I'm not convinced it _ever_ will be, much less anytime soon. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse () rodents montreal qc ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Disclosure From OSSI (Feb 09)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Seth Arnold (Feb 09)
- RE: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer David Schwartz (Feb 09)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Darren Reed (Feb 10)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer der Mouse (Feb 10)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer John D. Hardin (Feb 11)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer der Mouse (Feb 11)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Darren Reed (Feb 12)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer der Mouse (Feb 12)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Darren Reed (Feb 12)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer der Mouse (Feb 12)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Darren Reed (Feb 10)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Glynn Clements (Feb 12)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Peter Pentchev (Feb 10)
- Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Nexus (Feb 11)
- <Possible follow-ups>
- RE: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer Disclosure From OSSI (Feb 12)