Layer violation
The author clearly lacks understandning of the different security domains in Internet communications:
1) XSS and other examples of injection of malicous content into web pages is not a browser security issue, it is the responsibility of the web service provider.
2) underlying infrastructure is not a browser security issue. Everyone with some clue knows that Internet would not have existed if it had been built in traditional telco style or incorporated mandatory IPSEC (or similar). The power of simplicity.
3) TLS/SSL does work very well for establishing of strong transport security and authentication of the server side, and will also give us the session identifier which we need to get rid of all the cookies and CGI-variables used for session handling. Not a browser issue.
4) Javascript is _exactly_ the thing we want and need. A simple programming language with several implementations (larger gene pool than flash, java and activex), standardised and properly sandboxed.
The problems does not stem from IP, TCP, UDP, DNS, TLS or elsewhere in the network stack. IMHO, the problems are (in ranking order):
1) Flash (which is truly scary, close to 100% adoption of one inbred implementation) and other browser plugins, too widly spread and too small gene pool (acrobat reader, quicktime and others..)
2) Web-server and -application security, where inadequate implementations and configurations put users security at risk
3) The absence of decent methods of user authentication (think SAML and OpenID)
4) Browser implementation errors (and the effect of such due to tight integration into the operating systems)
5) ..
Apart from that, I do agree that fishing filter and other tricks won't solve any security problems, in the same way as antivirus, firewalls and other largly perforated band-aids will fall short.
This article spells F.U.D.
--- Fredrik
Biting the hand that feeds IT
