Re: AppleScript & HTML Again...
Re: AppleScript & HTML Again...
- Subject: Re: AppleScript & HTML Again...
- From: "John C. Welch" <email@hidden>
- Date: Sun, 28 Mar 2004 13:18:46 -0600
On 3/28/04 12:34 PM, "Michael Terry" <email@hidden> wrote:
>
In fact, the security measure that Peter suggested for personal use,
>
whereby Missing Link's default url protocol is changed, isn't nearly as
>
dumb as was made out. Actually, it's not dumb at all. A cracker could
>
never guess the custom prefix. Compare it to cracking a password: Given
>
sufficient time and the appropriate software, a cracker can break any
>
password by continual guessing. That's not possible here because
>
there's never any feedback. Even if a cracker somehow lured a user into
>
downloading his subversive web page a million times and clicking his
>
shady links, the cracker would never know if he were successful. Of
>
course, the example should suggest some other possible roadblocks this
>
prospective cracker will run into, ones which, in my view, make even
>
the minor additional precaution of a custom url protocol unnecessary.
You can make two assumptions here...one, that they'll use the default
protocol name as specified in the documentation, and two, that there's a
large number of users won't change their hard drive name from the default.
Oh, you won't get everyone, but you'll get quite a bunch with it. If you
cast your net wide, you can get a lot done with only 40% returns. Spammers
make a lot of money on far less. If you manage to turn 100 out of 100000
machines into zombies, you can do a lot of damage. Even if you only manage
to damage those hundred machines, that's still damage.
As well, there are limitations within web page scripting that make the level
of access required for a massive dictionary attack like that impractical.
Web connections aren't permanent enough for this kind of attack to work
well.
There is no magic security bullet. Changing a protocol name isn't any better
than saying Macs are safe from virii because there's less of them. That's
hoping you won't be noticed. A password isn't perfect either. But it creates
a very serious obstacle to someone using javascript to cause damage in the
background. Another option would be to require an application whitelist for
Missing Link, so that rather than sending open events to ANY application
that you get lucky with, only a manually entered, pre-approved list of
applications that the user enters in will function with Missing Link. If the
two are both options, then you have a nicely layered security model, that
allows you to limit access in one of three ways, (whitelist, password, or
both).
As with any measure, there is ALWAYS a counter measure. That's a fact. But
that is not a justification to hiding your head in the sand.
>
>
Mike
>
>
PS - Just to reiterate, since there still seems to be confusion by
>
some: Missing link doesn't download AppleScripts, nor does it run
>
AppleScript code embedded in web pages, nor does it communicate with
>
any remote software, JavaScript or otherwise, at any time. Cutting your
>
network cable with a pair of garden shears will not interfere with its
>
normal use. Missing Link only communicates with HTML pages, and these
>
pages are always already on your hard drive (or network server attached
>
as part of your filesystem).
Nonsense. I just put a test page on my web site on a remote server, clicked
the link, and iCal came up. So, clicking a link on a remote server allowed
missing link to open a local application with no authorization or
authentication whatsoever. Had I wanted to, I could have added a javascript
to the page, and replicated this action automatically. So, quite obviously,
a remote machine can use missing link to access resources on your hard
drive.
john
--
Cowards die many times before their deaths; the valiant never taste death
but once.
- Shakespeare: Julius Caesar
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.