, SecurityFocus 2008-10-15
Story continued from Page 1
In a fairly comprehensive e-mail to the WHATWG, researcher Michal Zalewski talked about possible solutions to the clickjacking. What problems do you see in fixing this issue?
Hansen: The obvious issues are around usability of existing applications. The more UI controls you put in place to limit clickjacking the more likely you are going to hurt existing applications that are benign.
Zalewski talked about this following into two categories: opt-in solutions and opt-out solutions. Can you describe the differences between the two routes?
Hansen: Opt-in solutions will get the same level of adoption as any other security would. We still have tons of vulnerabilities to known problems on the Internet that are solved by simple patches. In my mind, while they do solve the problem for a few cases, it really will not have a big enough impact to stop the threat in any meaningful way.
The opt-out solution he provided also doesn't have any real chance of success in any reasonable amount of time given that a huge chunk of the internet would need to be re-worked. The best solutions I've heard, if you can call them solutions, are browser-based and require no changes to the web-servers. That'll get the quickest adoption rate and is the most viable solution. Unfortunately, with any change there is a huge amount of regression testing, and you're likely to break a lot of the more complex web interfaces out there, that use some similar technologies by design. They may not mean to hurt anyone, but their interfaces will no longer work the same way if the browsers make substantive changes.
If I am a bank or another Web site and I want to try and make sure that my visitors are not affected by clickjacking, is there anything I can do at this point?
As an Internet user, is there anything I can do to make sure that I am not attacked with clickjacking?
Grossman: There a few things that are helpful, but nothing is 100% effective. 1) Make sure you logout of websites when you are done conducting business. 2) Install NoScript for Firefox. 3) Disable all plugins.