Re: Google open redirect

[Marsh Ray <marsh () extendedsubset com>]

On 12/08/2011 12:37 AM, Michal Zalewski wrote:
> For time being, if you make security decisions based on onmouseover
> tooltips, link text, or anything along these lines, and do not examine
> the address bar of the site you are ultimately interacting with, there
> is very little any particular web application can do to save you: you
> are just at a significant risk wherever you go. If you take away open
> redirectors, a myriad of other, comparable ways to fool you remain,
> and can't be fixed easily.

I think reasoning based on this is subtly fallacious and it often 
contributes to disagreements between researchers and large vendors. This 
is how we got into the state of the web today: bad faith on the part of 
browser vendors.

They may be in the minority, but there *are* users out there who know 
how to look at the address bar. The security researcher knows this 
because he is one of them. I call this group the "competent and 
contentious users".

Large vendors are constantly holding bad faith against their userbase. 
This may be borne out by large user studies, but I've lost count of the 
number of times I've heard actual security improvements shot down 
because "typical users" are presumed to be so incompetent and careless 
that they will fail to derive a significant benefit from it.

I maintain that design decisions affecting security must be driven by 
the needs of the competent and contentious user because if he cannot 
achieve effective security in using of the system, then what chance has 
the "typical user"?!

Avoiding security improvements because the are perceived as being of 
little benefit to type typical user is wrong. Doing so gains nothing for 
the typical users, it decreases the security available to competent and 
contientious users, and worst of all it actively removes any incentives 
for the "typical user" to begin to take responsibility for their own 
security.

I think when the "typical user" gets pwned with phishing or malware he 
thinks a combination of "stupid Microsoft", "the Internet is out to get 
me", and "what did I do wrong?". The vendor implicitly answers: "you did 
nothing wrong because this is all too complicated for you to understand, 
you should install this additional product to give you better security". 
Perhaps this made sense back when the Internet was a toy and the biggest 
security risk was a limited-liability credit card number, but today we 
have whole populations in places like Iran wondering if their ass is 
going to get tortured over something they said on social media.

I think a lot of typical users today are probably wanting to move into 
that other category and we should support them in that.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/