[OT] - Mozilla launches free website security scanning service

I posted this in a couple of other groups then decided it might be of interest to folks in the Windows groups
as well. It is a free, rather powerful tool.


Mozilla launches free website security scanning service

http://www.computerworld.com/article...g-service.html

"Stormin' Norman" wrote

|I posted this in a couple of other groups then decided it might be of
interest to folks in the Windows groups
| as well. It is a free, rather powerful tool.
|

Interesting idea, but it's hard to see how it can
really be useful. Most webmasters won't use it
because most webmasters don't know what their
webpages are doing in the first place. For instance,
my site gets attacks daily that try to exploit
Wordpress bugs. Wordpress itself is a problem.
Thousands of sites. Maybe millions. But
that won't change. The people who use Wordpress
do it because they want risky, dynamic features like
backend SQL or shopping carts, without having to
understand how to do it. Those people won't even
update components because they simply have no
idea of how it all works. The average website these
days, with everything from shopping carts to comment
boards, is created drag-drop style by someone who
barely knows how to turn on their computer.

Big, corporate sites, on the other hand, don't need
Mozilla to tell them how to keep up to date and secure.
But will they? No. It limits functionality too much. Some
of the latest online attacks are through ads bought by
malware authors, on sites like the NYT, allowing them
to install malware via cross-site scripting. Maybe
Mozilla can tell the site they're using unsafe cross-site
scripting? Maybe. But so is everyone who uses jquery,
Google fonts, or who deals with middleman ad servers.
That includes nearly all commercial websites. The NYT
people have no idea what's going on. They've subbed
out the ads to the likes of Google/Doubleclick and have no
knowledge, even, of what domains are linking to any
particular visitor through the NYT domain.

Maybe people could use Mozilla's tool themselves to
assess the safety of the sites they visit? None of those
sites are safe if they deal with ad servers, run 3rd-party
script, or implement server-side functionality -- which is
pretty much all of them. Out of that mess, how could even
a technically knowledgeable person assess the real
risks? Even if they could, what good would it do to
write to the NYT and ask them to please stop allowing
ads on their site that they didn't actually sell themselves?
It wouldn't do any good, because the NYT doesn't sell
*any* ads themselves. Like most other sites, they deal
with middlemen who handle everything. The tracking, spying
and ads are mostly not NYT in the first place.

That situation is getting worse. You visit Site A and
they want to run script. But then that script wants to run
script from 3 external domains, to provide the shopping cart,
the captcha and the credit card processing. But then those
3 all want to link to further domains. The owners of Site A
are not set up to handle credit cards. So they contract with
AcmeOnlineSales. AcmeOnlineSales contracts with
MegaWebProcessing. MegaWebProcessing, in turn, deals
with the actual bank operations. They're all pulling in their
script, and likely all using jquery or other 3rd-party scripts
because they don't actually know how to script themselves.
Likewise with the captcha. Most commercial websites have
become empty fronts that don't handle their own website
functionality and in most cases don't even know that. At best
they have a coder who copies and pastes clever javascript
snippets from the Web, written by other people who don't really
know how to script, but do know how to get snazzy special
effects out of free script libraries.

It's a bit like the problem of sourcing your food. You might
buy a chocolate cake from a reputable company. No palm
kernel oil. No carrageenan. No canola oil. So far, so good.
But what is the oil? Have you noticed that a lot of bakery
products say something like "palm and/or cottonseed and/or
safflower"? In other words, they used whatever oil "fell off a
truck" that day. And what about the chocolate liquor? Is that
from an organic, Free-Trade farm run by idealistic hippies, or from
a no-name warehouse in Kansas that buys the cheapest product
wholesale and then resells it to producers? What about the
butter? What about the flour? Fresh, high quality wheat flour
or 15 months old, rancid and doused with Monsanto's carcinogenic
RoundUp/glyphosate? What about the bakery? Staffed by happy,
sane, well paid people, or angry teenagers who like to drop dead
rats into the batter in an anonymous effort to take revenge on
the world? (If you've never worked a low paying job in the food
industry you have no idea how common that is. My first
job was at McDonalds. All us kids used to love to watch the
cook spit on the burger of anyone so inconsiderate as to ask
for a special order hamburger.)
Mozilla's tool might tell me the cake is free of canola oil and
hydrogenated fats. It probably can't begin to tell me whether
the cake is healthy, fresh food. Nor can it do anything to
improve the cake if the cake is not healthy.