Monday, June 16, 2008
Browser Security: What if Microsoft and Mozilla worked together...
1. Microsoft is doing the right thing when it comes to CardSpace and has implemented an identity selector in Internet Explorer. The challenge is that Microsoft hasn't done much evangelism of this technology within the enterprise marketplace. It would seem as if Cardspace could be the mechanism that eliminates fugly passwords, prevents spoofing and hijacking of passwords yet if no one knows about it, the ecosystem can never be secure. With a little bit more evangelism and for the Mozilla folks to not think of an identity selector as an add-in, browser security can improve.
4. In the same way that Cardspace runs in its own process, why can't Microsoft make all plugs-in installed via ActiveX do the same? Separating out plug-in execution could provide the necessary constraints and even can allow for policies to be applied. It shouldn't be enough just to sign something, but should require user consent to run in the same address space of the browser.
Of course many of my thoughts have tons of holes and the point of sharing them isn't for folks to throw daggers at my ideas, but to focus on making browser security better...
Links to this post: