> > Isn't it the case with every software created to add some protection > to you computer? Firewalls, antiviruses, IDSes etc. are all adding > code to your operating system that may, in the future, be found > vulnerable to some attack. It is just the question whether protection > they provide compensates additional threat they may introduce. > Yes, protection can mean added code, but consider the kind of code and where it is running. Typically I run an IDS such as snort on a tap interface with no access to send anything out. in particular, it's not looking at endpoint traffic after it's decrypted. Why? IDS's are big complicated things that to lots of string a byte comparisons against data provided by an attacker, the kind of code that is easy for the author to make mistakes in that lead to compromisable situations. So if snort is compromised, all the attacker typically gets without more work is the ablility to sniff, not the ablility to look at encrypted traffic in the clear, and ideally not the ability to send traffic out. Other programs (i.e. ssh) deal with complexity like this by attempting to isolate the privileges that the code doing most of the string bashing is running as - i.e. a privsep model, so if you break a piece of it (at least in most of the code) you *Don't* see encrypted traffic or passwords If this critter is compromised, he likely gets the entire endpoint machine, or if not, he most likely for sure gets the ability to read decrypted https streams. - Fix the browser bugs rather than having another plugin to look for them. -Bob
