George N. White III
gnwiii at gmail.com
Sat Jan 17 09:40:59 AST 2009
On Fri, Jan 16, 2009 at 9:21 AM, Richard Bonner <ak621 at chebucto.ns.ca> wrote:
> On Fri, 16 Jan 2009, Mike Spencer wrote:
>> Although I "accept" certs when proffered, I never do anything via a
>> web connection for which (AFAIK) their validity or correct handling
>> matters: no banking, shopping, tax forms, gov't forms, securities
>> trading or the like.
That reduces your risk, but if you have a credit card and don't check
for bogus transactions every few days you may have trouble (this
happened to someone I know) when someone manages to buy
a dozen Dell systems on your card and you don't report the problem
until the statment arrives in the mail (e.g. after the sytems were delivered
to a now vacant apartment). The bad guys start with a couple
small "test" transactions and then go for the big haul. If you check the
account regularly, the card would have been cut off before the order could
be placed with Dell, and certainly before the order shipped. The bank is
not going to be happy if they don't hear about the bogus transaction until
after the goods have been delivered, which means they are goign to share
the pain with you. The banks are quite capable of bullying you and putting
"bad customer" flags into your record -- the only thing worse than always
paying your bills on time is sticking the bank with a big bill for a bogus
There are groups working on (more) secure browsers using sandbox designs.
One is Opus Palladianum (OP), which uses SElinux. I'm not sure OP
was ever released to the public. Google chrome draws on some of that work.
>> As far as I can see, NN 4.76 doesn't support <IFRAME.... so nothing
>> bad gets snuck in that way. I'm running Linux (obviously? :-) so ActiveX
>> and *.EXEs, however cleverly inserted, don't do anything.
> *** Unless one needs such features, I agree that they should be left
> off. I have learned that in the past decade more and more workplaces
In IE you can do this by adding the HR site to your "trusted" hosts, but
very few understand that trusted sites should use https, so force users to
trun off that option with "trusted sites".
>> But of course I have Firefox as a backup when I really, really want to
>> look at one of those horrible mare's nests of code and markup that
>> most corporate sites are.
Don't forget the add-on that tells the site you are using IE. Then the
site manager can say "we don't need to support other browsers because
100% of our customers use IE".
> *** I agree. I can't fathom why businesses don't adhere to
> accessibility rules. Don't they want to reach the maximum number of
> potential customers/clients? I guess they think that eye-candy
> impresses people, but they don't realise how tiring it gets after
> the umteenth time visitors see it. The better sites have "Bypass"
> buttons and/or alternate text for those not wanting, or unable to
> use, those "mare's nests".
Many managers still don't take web seriously, refuse to pay what a
capable site designer costs, so give the work to low bid contractor
or that nephew who can't get a job after being released from prison.
A large fraction of web surfing should work with a text browser
lynx, links, etc. I used to complain about sites that were unuseable
from lynx, but apparently it didn't wortk, as fewer and fewer sites were
>> I'm checking out NN 4.79 before I hack around much more with
>> libraries. It's alleged to have fixed some 4.76 bugs anyhow.
>> Now I have to wait for a boring d/l over dialup.
Older is _not_ better -- there were lots of exploitable bugs in the
older browsers due to not sanitizing external data, etc., so you are
relying on security thru obscurity.
Have you looked at other lightweight browsers like dillo?
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
More information about the nSLUG