* Posts by Ariel

4 publicly visible posts • joined 4 Jun 2007

New cracks in Google mail

Ariel

HTTPS has nothing to do with this CSRF vulnerability!

Guys, I keep reading about http vs https here.

That's completely off-topic.

While it's all good and mandatory using https for anything sensitive, like accessing your webmail, this GMail exploit uses CSRF, which works just fine over https.

An in-depth explanation of how it works, what should be done on the server side to fix it and what users can do to protect themselves is given in this article: http://hackademix.net/2007/09/26/gmail_csrf/

Java and Flash fixes tax system security

Ariel

Firefox + NoScript

And from now on, use Firefox + NoScript.

From http://noscript.net:

"This free, open source add-on allows JavaScript and Java execution only for trusted domains of your choice (e.g. your home-banking web site). NoScript optionally blocks Flash and other potentially exploitable plugins too, and provides the most powerful Anti-XSS protection available in a browser."

Flaws galore in IE and Firefox

Ariel

hmm, just Another Job for NoScript?

Preventing these and many other yet unknown exploits is just as easy as installing the NoScript firefox extension.

Letting JavaScript run on every page you visit, intentionally or not, is just dumb.

Security is all about giving away the minimum privileges to do the work, and never, NEVER to strangers.

NoScript just brings the abc of security in the browser.

Google security vulnerabilties stack up

Ariel

NoScript Anti-XSS

From http://noscript.net/features#xss :

"While Cross-Site Scripting (XSS) vulnerabilities need to be fixed by the web developers, users can finally do something to protect themselves:

NoScript is the only effective defense available to "web-consumers", waiting for "web-providers" to clean up their mess."

This GMail XSS flaw is just the tip of an iceberg, check http://xssed.org/pagerank