Image via Wikipedia
It all starts to sound like an AIDS awareness commercial from the '90s—when you browse on one website's server, you're browsing on every server that has been in contact with. And indeed is the result. A hacker can hack one website and spray malicious code all over the Internet, compromising millions of PCs with one attack.
While Firefox's NoScript extension includes protection against XSS attacks, it has plenty of problems of its own. For one thing, it has trouble telling bad third-party Javascript from good. Every time I click on the New Post link on my own blog, NoScript asks me to confirm because it thinks that it might be an XSS attack. Furthermore, the author of NoScript has been accused of whitelisting ad servers which place ads on the NoScript website and breaking extensions which try to block them anyway. While the author of NoScript has apologized for this behavior, it points to a potential problem with attempts to fight XSS attacks.
Mozilla's new policy also involves whitelisting known safe websites and probably holds the same potential for conflict of interest. But with the web becoming more interconnected all the time and with the rise of social networking, servers are swapping code all the time now and a system like the one which Mozilla is planning to implement will be necessary to stop malicious hackers using XSS to attack PCs.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=b03ec25a-25ea-48d3-ab72-d159b300c443)
No comments:
Post a Comment