2 Replies Latest reply: Oct 21, 2010 5:51 AM by lhebbes RSS

    Will the new version fix the redirect security hole?

      Will the new version just be a cosmetic change, or will it address some of the security issues in my other post?

        • 1. Re: Will the new version fix the redirect security hole?

          Unknown sites are already flagged as unknown, but no, we don't plan to do deep inspection of sites-within-sites - that's covered in our Site Advisor Pro product coming out later in the year as it can only really effectivly be done from the client end - not from a service in the cloud.


          It's impossible as you can understand for us to scan a site in real time prior to each jump, using the historic GTI record is the only practical way to do things. We are though looking at options to get the frame a bit more aware of content below it.


          To be honest, we expect most users to disable the frame on known sites anyway, so the only time they will see it is if we have already decided the end location is suspicious. There's even a discussion going on whether we should bother displaying the "Green" frame at all - whether it should be an "op in" rather than the current "opt out" mode.


          There's a practical limit to how much security we can do without a client-side component - certainly we can offer more than the nothing some surl providers currently offer, and at least as much as others like goog.le and bit.ly.



          Message was edited by: SafeBoot on 10/7/10 2:25:19 PM EDT
          • 2. Re: Will the new version fix the redirect security hole?

            I agree that you can't do everything without the client-side components. I'm glad to hear that you will be introducing a product to do that in the near future as well. However, it would be possible to perform some checks on the page in script and Ajax submission. I realize that this would be complex, take time to perform and not be 100% accurate, but it could help.


            Also, I think it would be a mistake to remove the green tick, or even allow users to opt out of seeing it. I can script a page to jump out of your frame and show the whole page without your tick. If the green tick is never displayed, then a user wouldn't know that my site contains malware as I'll jump out of your red cross page. The users will then assume that it's fine. I think you need to be able to either reassess the page whenever the user clicks a link, or you need to remove the banner completely if they navigate to another page whilst giving them a warning possibly.