Trusted vs Unstrusted MIME types
patrys at pld-linux.org
Mon Jul 9 02:57:43 PDT 2007
On 7/9/07, Rodney Dawes <dobey.pwns at gmail.com> wrote:
> One very important design heuristic that should be followed here is
> "Always let the user feel in control."
I'd rather word that differently. For me "user in control" means
ignoring any messages and blindly clicking "next." Been there, seen
> If the user doesn't feel like
> she can control what's happening, the software is going to be an
> annoyance more than an assistance. Inciting fear with a pop-up stating
> that a file might contain malicious code, for only a small subset of
> the possible files that might do so, doesn't actively make the situation
> any better.
It will certainly teach users not to read any popup messages instead
clicking "allow" as they would be unable to have any work done.
> Why not have magic matches for known malicious data in files, instead of
> just blanketing whole mime types?
It's not possible inside web browsers and generally any software
dealing with remote files (and these are the major threat). Sniffing
contents might be either impossible (a large file that is either not
fully downloaded yet or not meant to be downloaded at all in case the
opening application wants to do it by itself) or very expensive
(samba, webdav over Internet).
> Doing that would take care of even
> files we think we might trust, like JPEGs, without being overly
> intrusive in the UI, when not necessary.
The JPEG case needs to be fixed in the application and not in the
sniffer. Both would take the same amount of work.
> Because, really, by definition,
> any file not explicitly created by the user, should be considered as
> potentially unsafe. And even some files created by the user, should be
> considered unsafe, because we don't know if the software that created
> it is safe.
That's what I said earlier in the thread. A file that does not
originate from my machine is considered not safe. If I use Firefox to
save it locally I no longer get any warning about its contents.
I think to solve this properly we'd need a new filesystem with more
extended attributes that follow the file (think of "marked as safe")
More information about the xdg