If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
[OT] - Mozilla launches free website security scanning service
I posted this in a couple of other groups then decided it might be of interest to folks in the Windows groups
as well. It is a free, rather powerful tool. Mozilla launches free website security scanning service http://www.computerworld.com/article...g-service.html |
Ads |
#2
|
|||
|
|||
[OT] - Mozilla launches free website security scanning service
"Stormin' Norman" wrote
|I posted this in a couple of other groups then decided it might be of interest to folks in the Windows groups | as well. It is a free, rather powerful tool. | Interesting idea, but it's hard to see how it can really be useful. Most webmasters won't use it because most webmasters don't know what their webpages are doing in the first place. For instance, my site gets attacks daily that try to exploit Wordpress bugs. Wordpress itself is a problem. Thousands of sites. Maybe millions. But that won't change. The people who use Wordpress do it because they want risky, dynamic features like backend SQL or shopping carts, without having to understand how to do it. Those people won't even update components because they simply have no idea of how it all works. The average website these days, with everything from shopping carts to comment boards, is created drag-drop style by someone who barely knows how to turn on their computer. Big, corporate sites, on the other hand, don't need Mozilla to tell them how to keep up to date and secure. But will they? No. It limits functionality too much. Some of the latest online attacks are through ads bought by malware authors, on sites like the NYT, allowing them to install malware via cross-site scripting. Maybe Mozilla can tell the site they're using unsafe cross-site scripting? Maybe. But so is everyone who uses jquery, Google fonts, or who deals with middleman ad servers. That includes nearly all commercial websites. The NYT people have no idea what's going on. They've subbed out the ads to the likes of Google/Doubleclick and have no knowledge, even, of what domains are linking to any particular visitor through the NYT domain. Maybe people could use Mozilla's tool themselves to assess the safety of the sites they visit? None of those sites are safe if they deal with ad servers, run 3rd-party script, or implement server-side functionality -- which is pretty much all of them. Out of that mess, how could even a technically knowledgeable person assess the real risks? Even if they could, what good would it do to write to the NYT and ask them to please stop allowing ads on their site that they didn't actually sell themselves? It wouldn't do any good, because the NYT doesn't sell *any* ads themselves. Like most other sites, they deal with middlemen who handle everything. The tracking, spying and ads are mostly not NYT in the first place. That situation is getting worse. You visit Site A and they want to run script. But then that script wants to run script from 3 external domains, to provide the shopping cart, the captcha and the credit card processing. But then those 3 all want to link to further domains. The owners of Site A are not set up to handle credit cards. So they contract with AcmeOnlineSales. AcmeOnlineSales contracts with MegaWebProcessing. MegaWebProcessing, in turn, deals with the actual bank operations. They're all pulling in their script, and likely all using jquery or other 3rd-party scripts because they don't actually know how to script themselves. Likewise with the captcha. Most commercial websites have become empty fronts that don't handle their own website functionality and in most cases don't even know that. At best they have a coder who copies and pastes clever javascript snippets from the Web, written by other people who don't really know how to script, but do know how to get snazzy special effects out of free script libraries. It's a bit like the problem of sourcing your food. You might buy a chocolate cake from a reputable company. No palm kernel oil. No carrageenan. No canola oil. So far, so good. But what is the oil? Have you noticed that a lot of bakery products say something like "palm and/or cottonseed and/or safflower"? In other words, they used whatever oil "fell off a truck" that day. And what about the chocolate liquor? Is that from an organic, Free-Trade farm run by idealistic hippies, or from a no-name warehouse in Kansas that buys the cheapest product wholesale and then resells it to producers? What about the butter? What about the flour? Fresh, high quality wheat flour or 15 months old, rancid and doused with Monsanto's carcinogenic RoundUp/glyphosate? What about the bakery? Staffed by happy, sane, well paid people, or angry teenagers who like to drop dead rats into the batter in an anonymous effort to take revenge on the world? (If you've never worked a low paying job in the food industry you have no idea how common that is. My first job was at McDonalds. All us kids used to love to watch the cook spit on the burger of anyone so inconsiderate as to ask for a special order hamburger.) Mozilla's tool might tell me the cake is free of canola oil and hydrogenated fats. It probably can't begin to tell me whether the cake is healthy, fresh food. Nor can it do anything to improve the cake if the cake is not healthy. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|