Site Security Policy – Mitigating Drive-by-Downloads

Brandon Sterne from Mozilla has been working on a way to solve the security threats caused by the requirement of clients to upload dynamic content to web servers. These threats manifest themselves in the form of XSS and CSRF attacks. Brandon’s ideas are being formulated into a specification called Site Security Policy which you can read about here:-

http://people.mozilla.com/~bsterne/site-security-policy/details.html

There is further discussion on the topic over at Jeremiah Grossman’s blog which can be found here:-

http://jeremiahgrossman.blogspot.com/2008/06/site-security-policy-open-for-comments.html

I guess the success of the specification will depend on what its goals are. Does it want to develop a comprehensive solution to mitigate XSS and CSRF attacks, or is it going a focused specification. I tend to think that keeping security solutions simple (even if they are not compressive) can allow for a much greater adoption rate. The other point to consider is that you don’t have to completely remove a threat on the Internet to be a success. We should be trying to implement changes that will force the “blackhats/bot herders/etc” to change their business model. There is a point where it wont be cost effective to use attacks like drive-by-downloads. To reach this point should be our first goal.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: