Why we need Gecko updates

Ben Bucksch ben.bucksch at beonex.com
Wed Dec 16 09:09:17 UTC 2015


Joshua Cranmer wrote on 10.12.2015 19:49:
> I think you're wrong here. It is probably about two to three orders of 
> magnitude harder to deliver an exploit to an email client than it is a 
> web browser.

Reality proved me right. Google and several other big companies got 
hacked by China a few years ago. This hack was bad enough to make the 
CEOs so upset that they went public about it and Google even closed down 
google.cn , citing this hack as reason / last straw. (Which may not be 
the full story, as the public story rarely is. Either way, that's just 
one case in point that...)

Email is being actively used as attack vector to hacking on the highest 
levels, and even companies who really ought to know better fell for it. 
And the cases we know about it probably are just 1% of what's actually 
happening.

More technical rebuttal:
> ad servers are a great way to feed malware to users

And then, there's spam...

> web browsers willingly send their identities to the servers, making it 
> trivial to target malware specific to the user's machine.

I think the email address is more tied to a person than a web browser. 
If you want to hack someone specific, HTML email is the easiest way. No 
need to redirect Internet traffic, pick the right target out of 
hundreds. Just send a well-crafted email.

> if I wanted to specifically target someone, I'd probably try via email 
> instead of a web browser. 

Right. OK, we agree, then. That's what I was talking about. Most 
high-value hacks require to target someone specific. Mass-hacks are boring.

Ben



More information about the tb-planning mailing list