Yes. My entire family will be calling for free tech support as their machines eat crap. This affects me directly and greatly, as I'm sure it similarly affects many other frequent posters here. Also personally, yes, no browser is invincible and I'd like to avoid infection as well.
There are numerous security flaws in all the major browsers. Vulnerabilities are getting fixed all the time; just look at the change log of Firefox or Chrome over the last few releases, for example. If you think you're magically virus-proof because you're running your pet OSS software, you might consider the list of popular OSS web servers in the title of this discussion.
I run lynx/links/etc in a chroot jail, you insensitive clod!
In my experience most of the major browser exploits attack vulnerable plugins (flash, java, acrobat/pdf viewer, etc) or abuse scripting. If you restrict or disable said plugins and javascript then I'd say you're pretty darn safe. Granted, most "web 2.0" websites work like shit without javascript enabled but some stuff still works. For the more sane of us there are things like NoScript.
It's kind of hard for plain text and images to do bad things though I suppose it's been done before.
"Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Wheezy, but not covered by security support. These browsers should not be used against untrusted websites. For general web browser use we recommend browsers building on the Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium."
It's kind of hard for plain text and images to do bad things though I suppose it's been done before.
There have been vulnerabilities in PNG and JPG image format handlers in the past, so yes, there has definitely been the potential to have images do bad things. (Arguably none would be as bad as using some of the ones relating to goatse, but that's a different kind of problem.) If you hear of problems in fundamental media type handlers, for goodness sake make sure you're up to date with your security patches!
I don't know if there were any exploits of those problems in the wild though.
I have several free web browsers on my laptop, but I generally do not look at web sites from my own machine, aside from a few sites operated for or by the GNU Project, FSF or me. I fetch web pages from other sites by sending mail to a program (see git://git.gnu.org/womb/hacks.git) that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly.
There's a small number of infected sites. That clearly indicates that this is likely a case of digital burglary rather than the much lower bar of something like a viral infection. Otherwise we would be talking about thousands of sites or half the Internet.
Your screed would be more relevant if not for the fact that there are various fairly common workarounds employed on the various browsers to mitigate just this kind of nonsense.
A little paranoia goes a long way. That's far more useful than the sort of bliss
How exactly does your browser recognize the difference between a normal page and the exact same page delivered from the exact same server at perhaps a microsecond delay?
This backdoor may simply be passing on POSTs with passwords (a webserver receives these unencrypted, you know) to another server without altering anything on the page. The only one who'd notice would be a webserver admin that happens to monitor outgoing traffic.
Why? (Score:5, Interesting)
Re:Why? (Score:4, Funny)
Are you afraid of little infected web site? Something wrong with your browser?
Re:Why? (Score:5, Insightful)
Re:Why? (Score:4, Funny)
Find out what they're experts in, become a complete idiot in that field and start pestering them with requests for help.
Keeps my dad away. Though I now have to pay for repairs when my car breaks down.
There is something wrong with EVERY browser (Score:2)
There are numerous security flaws in all the major browsers. Vulnerabilities are getting fixed all the time; just look at the change log of Firefox or Chrome over the last few releases, for example. If you think you're magically virus-proof because you're running your pet OSS software, you might consider the list of popular OSS web servers in the title of this discussion.
Re:There is something wrong with EVERY browser (Score:4, Insightful)
In my experience most of the major browser exploits attack vulnerable plugins (flash, java, acrobat/pdf viewer, etc) or abuse scripting.
If you restrict or disable said plugins and javascript then I'd say you're pretty darn safe.
Granted, most "web 2.0" websites work like shit without javascript enabled but some stuff still works. For the more sane of us there are things like NoScript.
It's kind of hard for plain text and images to do bad things though I suppose it's been done before.
Re:There is something wrong with EVERY browser (Score:5, Interesting)
From Debian 7 release notes:
"Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Wheezy, but not covered by security support. These browsers should not be used against untrusted websites. For general web browser use we recommend browsers building on the Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium."
-- http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security [debian.org]
Re:There is something wrong with EVERY browser (Score:4, Interesting)
They attack plugins because flash/java/acrobat are still installed on over 90% of potential targets, whereas the browser market is now diversified...
Re:There is something wrong with EVERY browser (Score:4, Informative)
It's kind of hard for plain text and images to do bad things though I suppose it's been done before.
There have been vulnerabilities in PNG and JPG image format handlers in the past, so yes, there has definitely been the potential to have images do bad things. (Arguably none would be as bad as using some of the ones relating to goatse, but that's a different kind of problem.) If you hear of problems in fundamental media type handlers, for goodness sake make sure you're up to date with your security patches!
I don't know if there were any exploits of those problems in the wild though.
Re: (Score:1)
I have several free web browsers on my laptop, but I generally do not look at web sites from my own machine, aside from a few sites operated for or by the GNU Project, FSF or me. I fetch web pages from other sites by sending mail to a program (see git://git.gnu.org/womb/hacks.git) that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly.
I think this is the key.
Get your friends' computers infected instead!
Re: (Score:3)
There's a small number of infected sites. That clearly indicates that this is likely a case of digital burglary rather than the much lower bar of something like a viral infection. Otherwise we would be talking about thousands of sites or half the Internet.
Your screed would be more relevant if not for the fact that there are various fairly common workarounds employed on the various browsers to mitigate just this kind of nonsense.
A little paranoia goes a long way. That's far more useful than the sort of bliss
Re:Why? (Score:4, Interesting)
How exactly does your browser recognize the difference between a normal page and the exact same page delivered from the exact same server at perhaps a microsecond delay?
This backdoor may simply be passing on POSTs with passwords (a webserver receives these unencrypted, you know) to another server without altering anything on the page. The only one who'd notice would be a webserver admin that happens to monitor outgoing traffic.