Slashdot Mirror
Web Browser Developers Work Together on Security
JRiddell writes "Security developers for the four major browsers recently met together to discuss Web security. The meeting, hosted by Konqueror's George Staikos, looked at future plans to combat the security risks posed by phishing, ageing encryption ciphers and inconsistent SSL Certificate practise. IE 7 is one of the first browsers to implement some of the ideas discussed such as colour coding location bars and an anti-phishing database." From the article: "The first topic and the easiest to agree upon is the weakening state of current crypto standards. With the availability of bot nets and massively distributed computing, current encryption standards are showing their age. Prompted by Opera, we are moving towards the removal of SSLv2 from our browsers. IE will disable SSLv2 in version 7 and it has been completely removed in the KDE 4 source tree already."
In case anyone's curious, here is a description of the problems with SSLv2, including some info about the newer v3 stuff.
Free Conference Call -- No Spam, High Quality
Copied from here?
SteveM
http://wp.netscape.com/eng/ssl3/ssl-toc.html
"'Yrch!' said Legolas, falling into his own tongue."
SSL2 has some serious security defects, including the inability to detect man-in-the-middle attacks against its handshake. TLS is the replacement.
I don't think you understand the assurance a certificate gives you. You don't need to be worried about being tricked or DNS being compromised because that's exactly what a cert protects you against. Look for the following two things:
A. Is the domain name on the address bar the one you want? (example: citibank.com)
B. Did the page come up without any errors from the web browser?
If your DNS server was compromised, B will not be true. If you're taken to some site that may or may not have been issued a valid cert by Verisign, but is definitely NOT citibank.com, A will not be true.
If A and B are true, you have successfully connected to citibank.com over an encrypted channel, end of story. Whether you want to trust the company on the other end is totally up to you, but now you know for sure who you're dealing with.
Hands in my pocket
Ideas such as colour coding location bars and an anti-phishing database.
Do they mean like in the Netcraft anti-phishing toolbar?
My Karma: ran over your Dogma
StrawberryFrog
Just blindly replacing strcpy() with strncpy() is bad. strncpy() will not necessarily null terminate the target, which of course means that you won't necessarily have a string. If you do use strncpy(), make absolutely certain that one way or another you terminate the string. It might be better to steal strlcpy() and strlcat() from OpenBSD and use them in your project.
There's four major rendering engines. Trident (Internet Explorer on Windows), Gecko (Mozilla, Firefox, etc), Presto (Opera), and KHTML (Konqueror, Safari, Omniweb, etc).
Konqueror is important because it's the original branch of the KHTML rendering engine, used in a number of browsers, throughout KDE, and sitting on the desktops of millions of Apple users as part of Safari.
So while it's slightly inaccurate to say that Konqueror is one of the four major web browsers, what was meant, and what is actual fact, is that Konqueror's rendering engine is one of the four major rendering engines.
Bogtha Bogtha Bogtha
If A and B are true, you have successfully connected to citibank.com over an encrypted channel, end of story.
Not quite. If A and B are true, you have successfully connected to a computer claiming to be citibank's website at citibank.com using a certificate issued by someone to "prove" it. Of course, https://web.da-us.citibank.com/ (the site I get when I hit login) has a certificate issued by VeriSign, and we know how well they verify the identify of people requesting certificates.
http://www.yafla.com/dforbes/2005/11/22.html#a191
(I saw that on Digg, btw, but of course it quickly cycled off the page while the groupthink herds were busy pushing up every lame story about the FireFox religion)