http://matasanochargen.disqus.com/enFri, 13 Oct 2006 13:14:17 -0000http://www.matasano.com/log/548/browser-wars-20-will-security-be-the-battleground/#comment-2320783Chris_B: is this the same warning that RSnake and others were talking about in the sla.ckers forum and on the ha.ckers blog? I thought it was unintentional on opera's part?dreFri, 13 Oct 2006 13:14:17 -0000http://www.matasano.com/log/548/browser-wars-20-will-security-be-the-battleground/#comment-2320782Recently I was doing some bog standard XSS testing against a few sites with various browsers. I noticed that Opera (on OSX) tossed out a warning page when attempting to click on a xss link or manually enter a xss test URL. Makes me wonder if there is any justifyable reason that other browsers dont implement this behavior.Chris_BFri, 13 Oct 2006 00:51:20 -0000http://www.matasano.com/log/548/browser-wars-20-will-security-be-the-battleground/#comment-2320781the battleground is OS integration, popularity, and FUD if you look at those numbers again. Microsoft is fine with security being a priority feature for IE7 as long as they come out on top.<br><br>unfortunately, that's just what the crime syndicates' web application attack teams are preparing for. global domination through IE6/7 cross-exploits and gaping holes in websites that browsers don't catch, regardless of their antiphishing features.<br><br>this stuff is so far under the radar. it's so easy to launch an attack from a cloned mobile phone running bluetooth with a sniper rifle in NYC to a laptop in LA that's running wifi that breaks into a corporate LAN and dns spoofs google and <a href="http://CNN.com" rel="nofollow">CNN.com</a> to insert any given executable/rootkit.<br><br>maybe it's not as easy - but certainly possible to access <a href="http://ebay.com" rel="nofollow">ebay.com</a> from romania using a custom but highly advanced onion routing network and posting a few lines of persistent injected javascript code that can collect every user/pass/info for every active ebay/paypal account in a manner of hours.<br><br>expensive firewalls, WAF's, IPSes, IDS's, scanning tools, billions of dollars worth of programmers, and 25 years of industry standards don't solve the basic attack platforms that are being used against us today. what makes you think IE7 or Firefox 2.0 will have any impact?dreThu, 12 Oct 2006 17:12:38 -0000