[CentOS] Why the Internet is so insecure

Wed Nov 30 10:33:23 UTC 2016
Alice Wonder <alice at domblogger.net>


Major flaw in how the specification for window.opener() works resulting 
in a major phishing vulnerability that is cake to pull off.

The right solution isn't considered because it would break compatibility 
with the few number sites that depend upon the broken specification even 
though it would be simple for those sites to implement a secure method.

So instead the entire web is left with an extremely poor default and a 
crappy solution that won't be implemented by a large number of sites.

And that's why the Internet will remain a playground for con artists for 
years to come.

I've lost faith in the W3C. It's useless, time for a fork and a new 
standards body. Seriously.

BTW - the fix that W3C does endorse, the rel="noopener" attribute, if 
that's the best the W3C is willing to do, Red Hat better make sure it 
makes it into the ESR version of FireFox they ship or it will be 
vulnerable for some time.

The broken fix the W3C endorses isn't even set to make it into standard 
FireFox until FireFox 52. Which is odd because it is a serious security 
vulnerability. I'm worried it won't make it into ESR FireFox for some 
time. ESR often lags on features.