On Fri, Jul 31, 2009 at 02:36:31AM +0400, Cheney, Edward A SSG RES USAR USARC
wrote:
The idea is that security vulnerabilities on the internet occur
most significantly as a result of client-side scripting from documents
transmitted across HTTP.
Even we grant for the purpose of argument that these are the "most
significant", and I see no evidence that they are, these are not
Internet security vulnerabilities.
These are (a) web browser and (b) operating system vulnerabilities,
and are quite readily mitigated by making sensible choices about both.
Further mitigation is possible by using in-band filtering/blocking
(such as HTTP proxies which filter or block traffic) or by using
browser extensions (e.g., NoScript). These are much simpler and directed
solutions that are available immediately, without any need for protocol
engineering.
If, on the other hand, poor choices of web browser and/or operating system
(or mail client, for that matter) are made, then it really doesn't matter
whether traffic moves via HTTP or SMTP or anything else: those systems
WILL be compromised.
---Rsk