Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
I've officially changed my stance on HTTPS scanning
Message
<blockquote data-quote="ForgottenSeer 92963" data-source="post: 966167"><p>I have always disabled HTTPS scanning, even when browsers had no low rights containers. Since he Microsoft Nozzle and Sozzle javascript sanitizing studies (yes those projects really had those names) and the Chrome browser introduction with its internal sandbox and tthe need to stop bad stuff as early as possible also became less relevant IMO.</p><p></p><p>Also HTTPS scanning often was combined with injecting DLL in the browser. These modules were often so badly designed and tested that they contained serious security risks. It was so bad that Google even threathened to block DLL injection in its browser.</p><p></p><p>The AV-community turned that threat into an opportunity for Google to snoop on us (and launched the Google ID gossip). This made Google return on its tracks, because it had to deal with bad PR issues concerning the loss of privacy when using Chrome.</p><p></p><p>Chrome in its turn started project Zero (to find and prevent Zero days in the wild) and positioned Tavis Ormandy as the lead speaker to make security companies and programs ridiculous because of the bugs/vulnabilities/security holes those so called security vendors had in their own software. Anyone ever questioned why a company would waist time of a top notch researcher into debugging software from another company? The only feasible answer could be to create awareness and real world proof of Google's take on this matter. </p><p></p><p>The hilareous (or ashamingly sad depending on your take on it) twitter posts of Tavis Ormandy made clear to me that "NO MAN IN HIS RIGHT MIND SHOULD EVER PUNCH A HOLE IN A SECURITY MECHANISM USING THE EXCUSE OF INCREASED SECURITY".</p><p></p><p>To the OP and all agreeing with him: I am glad you have made the right choice.</p></blockquote><p></p>
[QUOTE="ForgottenSeer 92963, post: 966167"] I have always disabled HTTPS scanning, even when browsers had no low rights containers. Since he Microsoft Nozzle and Sozzle javascript sanitizing studies (yes those projects really had those names) and the Chrome browser introduction with its internal sandbox and tthe need to stop bad stuff as early as possible also became less relevant IMO. Also HTTPS scanning often was combined with injecting DLL in the browser. These modules were often so badly designed and tested that they contained serious security risks. It was so bad that Google even threathened to block DLL injection in its browser. The AV-community turned that threat into an opportunity for Google to snoop on us (and launched the Google ID gossip). This made Google return on its tracks, because it had to deal with bad PR issues concerning the loss of privacy when using Chrome. Chrome in its turn started project Zero (to find and prevent Zero days in the wild) and positioned Tavis Ormandy as the lead speaker to make security companies and programs ridiculous because of the bugs/vulnabilities/security holes those so called security vendors had in their own software. Anyone ever questioned why a company would waist time of a top notch researcher into debugging software from another company? The only feasible answer could be to create awareness and real world proof of Google's take on this matter. The hilareous (or ashamingly sad depending on your take on it) twitter posts of Tavis Ormandy made clear to me that "NO MAN IN HIS RIGHT MIND SHOULD EVER PUNCH A HOLE IN A SECURITY MECHANISM USING THE EXCUSE OF INCREASED SECURITY". To the OP and all agreeing with him: I am glad you have made the right choice. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
