On 10/9/13 6:01 PM, Gervase Markham wrote:
Attack surface reduction works:
http://blog.gerv.net/2013/10/attack-surface-reduction-works/
Removing E4X broke the NSA's "EGOTISTICALGOAT" attack - a type confusion
vulnerability in E4X.
In the spirit of learning from this, what's next on the chopping block?
So you are saying, we should start removing features that could decrease
the attack surface? So then lets remove JavaScript, this could
definitely decrease the attack surface.
I think its the wrong conclusion, shouldn't we rather be fixing security
holes and analysing the code for vulnerabilities than removing random
things just because of their potential risk?
Removing features will definitely make people unhappy, and more work for
(extension) authors needing to adapt to the platform changes yet again.
Philipp
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
