I've been reading interviews, insights, write-ups and blogs on ClickJacking and I've had so many discussions with some of you my head spins trying to remember it all but something I saw a couple of days (weeks maybe?) ago is staying with me so I looked it back up and wanted to briefly talk about it.
This quote from Jeremiah Grossman, is disturbing.
"Recently we're [Grossman & RSnake] told we’ve been told that its been known by the browser vendors since 2002." [CGI Security interview, 10/5/08]
Why is this disturbing, do you ask? Think about it. If this statement isn't stretching truth (and I haven't found Jeremiah to be a sensationalist) then this has been an open, the-sky-is-falling-drop-everything issue for ~6 years. Not 6 days, months but YEARS. So the question we have to ask ourselves [but already know the answer to] is why in the world is it still an issue in 2008?
I'd love to know a few things:
- Why did we [security professionals] not freak out about this in 2002?
- Why haven't IE7+ and Firefox (at least?) resolved this issue dead?
- Why hasn't the standards body [the W3] taken this up as a standards issue?
Now, if you'll excuse me I'm going to go cancel my Internet connection, put a sledge-hammer to my computers and walk around aimlessly.
EDIT: Sun. Oct 12, 2:02pm CDT
I just read Jeremiah's comment, and then started reading the link he posted to the Bugzilla post on the bug Jesse Ruderman posted first in 2002, and Robert O'Callahan's (from Mozilla) continued stance against his views. I think it is important for everyone interested in security to read that thread to really understand what we [security professionals] are up against in the world of technology. Understandably functionalit has always been, and will always be the antithesis of security.
There is a much, much deeper conversation to be had here. If any of you are going to InfoSec World in Orlando in March, I'd like to get a "thought group" on this topic together. Email me directly and we'll put it together. I'm not saying we're going to solve anything - but maybe come up wth a better way to think this through as a community.