Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://hachyderm.io/users/dalias/statuses/114094455866911637">Rich Felker (dalias@hachyderm.io)'s status on Monday, 03-Mar-2025 04:20:37 JST</a><a href="https://hachyderm.io/@dalias" title="dalias@hachyderm.io"><img src="https://gnusocial.jp/avatar/40873-48-20221207231635.webp" width="48" height="48" alt="Rich Felker" style="position: absolute; left: 0; top: 0;">Rich Felker</a><div><a href="https://infosec.exchange/@alwayscurious/114094429608374318" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/167753" title="alwayscurious@infosec.exchange">Demi Marie Obenour</a></li><li><a href="https://gnusocial.jp/user/315648" title="theearthisapringle@mastodon.social">theearthisapringle</a></li></ul></div></section><article><p><a href="https://infosec.exchange/@alwayscurious">@alwayscurious</a> <a href="https://mstdn.ca/@swordgeek">@swordgeek</a> <a href="https://mastodon.social/@theearthisapringle">@theearthisapringle</a> This is really a problem in philosophy of security fixes I've written about in detail before. It's harder to work around when you don't control upstream's bad behavior, but it should be possible to mitigate most security problems without even needing code changes, as long as you can document what functionality to gate to cut off the vector without excessive loss of functionality.</p><p>Most browser vulns are fixable with an extension blocking the garbage feature nobody asked for.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4661695#notice-9125693">In conversation</a><time datetime="2025-03-03T04:20:37+09:00" title="Monday, 03-Mar-2025 04:20:37 JST">about a month ago</time> <span>from <span><a href="https://hachyderm.io/@dalias/114094455866911637" rel="external" title="Sent from hachyderm.io via ActivityPub">hachyderm.io</a></span></span><a href="https://hachyderm.io/@dalias/114094455866911637">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Monday, 03-Mar-2025 04:20:37 JSTRich Felker
in reply to
@alwayscurious @swordgeek @theearthisapringle This is really a problem in philosophy of security fixes I've written about in detail before. It's harder to work around when you don't control upstream's bad behavior, but it should be possible to mitigate most security problems without even needing code changes, as long as you can document what functionality to gate to cut off the vector without excessive loss of functionality.
Most browser vulns are fixable with an extension blocking the garbage feature nobody asked for.
In conversationabout a month ago from hachyderm.iopermalink

Public

Embed Notice

HTML Code

Corresponding Notice