Re: Firekeeper - IDS for Firefox available

[Bob Beck <beck () bofh cns ualberta ca>]

> Isn't it the case with every software created to add some protection
> to you computer? Firewalls, antiviruses, IDSes etc. are all adding
> code to your operating system that may, in the future, be found
> vulnerable to some attack. It is just the question whether protection
> they provide compensates additional threat they may introduce.

        Yes, protection can mean added code, but consider the kind of code
and where it is running. Typically I run an IDS such as snort on a tap
interface with no access to send anything out.  in particular, it's
not looking at endpoint traffic after it's decrypted. Why? IDS's are
big complicated things that to lots of string a byte comparisons
against data provided by an attacker, the kind of code that is easy
for the author to make mistakes in that lead to compromisable
situations. 

        So if snort is compromised, all the attacker typically gets without
more work is the ablility to sniff, not the ablility to look at
encrypted traffic in the clear, and ideally not the ability to send
traffic out.  

        Other programs (i.e. ssh) deal with complexity like this by
attempting to isolate the privileges that the code doing most of the
string bashing is running as - i.e. a privsep model, so if you break a
piece of it (at least in most of the code) you *Don't* see encrypted
traffic or passwords 

        If this critter is compromised, he likely gets the entire
endpoint machine, or if not, he most likely for sure gets
the ability to read decrypted https streams. - Fix the browser bugs
rather than having another plugin to look for them.

        -Bob