[Dshield] Bushe's recent visit to the NSA... Is this website safe to view?

jayjwa jayjwa at atr2.ath.cx
Mon Feb 6 22:43:15 GMT 2006


On Sun, 5 Feb 2006, Bjørn Ruberg wrote:
-> > Is this website safe to view?  I don't know much about this, but my
-> > understanding is that websites that have malformed code could possible
-> > download a virus or worm onto my computer if I viewed it or clicked on some
-> > link on it.

-> Jokes aside, it's perfectly all right to be skeptical of HTML code.

It's (usually [1]) not the HTML markup that gets'em, it's all that scripting 
#@!$% they embed inside of it that does the nasty deeds. Try running around 
with Java/Javascript/*script turned off in your browser and see how the web 
looks/responds.

The other day I forgot and left JS turned on. When at a site I'm used to 
visiting, I thought to myself, that's funny, I remember I used to see at the 
bottom of the browser where the link was actually going (the target), now it 
was not displayed. Then I remembered Javascript was still on, switched it off, 
refreshed, and the display came back on.

I often wonder how many of the web browser-based exploits out there in the 
wild depend on the victim running JS or another scripting language, I'd love 
to see the percent figure on that.

-> Even
-> Microsoft now and then suggests that HTML code should be viewed with a
-> plain-text editor instead of Internet Explorer.

Now that is the ultimate in contradiction: eg, we make this great web 
browsers, but ummm... just don't use it to view HTML ;)


j


[1] IFRAME comes to mind, but that was app-specific.


More information about the list mailing list