Security zone shortcomings: why browsers and websites encourage phishing

For those of you unaware or unfamiliar with browser security zones, the short story is that web sites can be classified into 'zones'. There's typically a zone for web sites you explicitly trust (such as your bank), a zone for local/intranet web sites (typical in a work environment), and then an Internet zone for everything else. The goal is to reduce the security privileges given to the Internet zone (i.e. restrict what the Internet at large can do to/with your browser), while having more relaxed restrictions for sites you trust (letting them perform more security-sensitive operations). In a perfect world, you would configure your browser to disable Javascript, ActiveX, Flash, and all other excessive features in the Internet zone. This would reasonably protect your browser against any Javascript-based attack (including attacks related to phishing and XSS) and likely curb direct browser exploitation by a native browser vulnerability. theory. However, I've spent the last four+ years living this approach and it has proven to be borderline unusable at times, and down-right frustrating most other times. But I'm not going to place all the blame on the web browsers themselves--web sites boast architectural design decisions and page implementations that do not cater to zoned browsing (and in some cases, make it nearly impossible to configure the site to be trusted at all!). Not to mention, any Web 2.0/AJAX style application requires full trust due to the amount of client-side technology it needs to leverage. Jeff Forristal's security blog : Security zone shortcomings: why browsers and websites encourage phishing

Linked by shanmuga Saturday, 10th February 2007 8:12AM