Full Disclosure mailing list archives
Re: Google open redirect
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Sat, 10 Dec 2011 13:20:31 +0100
Marsh Ray <marsh () extendedsubset com> wrote:
On 12/08/2011 12:37 AM, Michal Zalewski wrote:For time being, if you make security decisions based on onmouseover tooltips, link text, or anything along these lines, and do not examine the address bar of the site you are ultimately interacting with, there is very little any particular web application can do to save you: you are just at a significant risk wherever you go. If you take away open redirectors, a myriad of other, comparable ways to fool you remain, and can't be fixed easily.I think reasoning based on this is subtly fallacious and it often contributes to disagreements between researchers and large vendors. This is how we got into the state of the web today: bad faith on the part of browser vendors.
[...]
Avoiding security improvements because the are perceived as being of little benefit to type typical user is wrong. Doing so gains nothing for the typical users, it decreases the security available to competent and contientious users, and worst of all it actively removes any incentives for the "typical user" to begin to take responsibility for their own security.
I'm not sure I understand whether you're saying that vendors need to make users expectations match reality, or if users need to learn how to make security decisions properly. I think it's a believable claim that a large number of users have (incorrectly) decided that they can make security decisions using the status text or the appearance of a URL anywhere other than the address bar. I would be in favour of making that expectation match reality, but it's simply technically infeasible due to a number of fundamental computer science problems. The reality is that pleading with everyone in the world to stop using redirection wouldn't solve the problem, and (in my opinion) is much harder than trying to find these users and educating them about how to achieve the desired effect correctly. Trying to call "open redirection" a vulnerability strikes me as hilarious. "An attacker that can make a user visit an arbitrary URL can make a user visit an arbitrary URL" Well, there's no vulnerability there, so let's revise it. "An attacker that can make a user visit a URL from a domain they trust can make a user visit a URL from a domain they don't trust". Okay, but there's no way to determine if a URL is trusted or not unless you read it from the address bar. HTTP redirection doesnt do this, as the address bar is correctly updated, so let's revise again. "An attacker that can make a user who doesn't know how to determine if a URL is trusted or not visit an arbitrary URL, can convince a user to trust an arbitrary URL." Well obviously :-) But now if we successfully convince every developer on the planet to stop using HTTP redirection, that doesn't change that the user doesnt know how to determine if the URL is trusted or not, so we just use one of dozens of other simple tricks. Surely the correct solution is to educate those users who are doing it incorrectly. Tavis. -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google open redirect, (continued)
- Re: Google open redirect Michal Zalewski (Dec 07)
- Re: Google open redirect Michal Zalewski (Dec 08)
- Re: Google open redirect Dave (Dec 08)
- Re: Google open redirect Michal Zalewski (Dec 08)
- Re: Google open redirect Marsh Ray (Dec 09)
- Re: Google open redirect Michal Zalewski (Dec 09)
- Re: Google open redirect Charles Morris (Dec 12)
- Re: Google open redirect Valdis . Kletnieks (Dec 09)
- Re: Google open redirect Marsh Ray (Dec 11)
- Re: Google open redirect Dave (Dec 09)
- Re: Google open redirect Tavis Ormandy (Dec 10)
- Re: Google open redirect Marsh Ray (Dec 13)
- Re: Google open redirect Tavis Ormandy (Dec 13)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Benji (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Benji (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Pablo Ximenes (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Pablo Ximenes (Dec 08)