Documented research indicate that on Tue, 21 Jun 2005 13:37:50 -0700, "bruce" wrote: > chris... > > what you state is true at the extreme... but in the case of an client app, i > could already extract information about the various apps that make up the > client.. ie if, as in the case of IE, I was able to get information from the > IE browser about various dlls that make up the browser. if these pieces of > information correclt match what msoft would state should be there, then i > could assume that the app was/is legitimate. BUT: That would mean that you can't take into account any plugins or extensions the user might install. And the security leak you're afraid of might not even be IN the browser program used. It might as well be a packet sniffer on the outside of the user's firewall ... > and here's why. while you may not give a damm, there will be a growing > chorus of people who'll want to know that the developers/sites are doing > everything they can to ensure the safety of the entire transaction. in fact, > i'm willing to bet that somehting like what i've been discussing will be > delivered, and promoted as a security/selling point... I think it's more a matter of education and morale than anything else. You can't take responsibility for all clients not screwing up their own system. You just have to hope and trust, that when you tell your users to use this and that browser, and take this and that precaution, that they actually do it, and not install a whole bunch of crap that creates a security problem. What you're asking for is basically a way to control what users do on their own computers, and refuse them if you don't like what they've done. It's not very short of invasion of privacy. Electronic Arts already do that with their games (spy on your computer without your permission, and the refuse you to play the game you legally paid for, because you have other legally paid programs that they don't approve of). What you can do however, is to develop an app that can run a security test locally on the user's computer, and have that app sign off on the user being safe enough for you to want to deal with him. And then force them to regularly have to do that again. But I'm telling you, the more troublesome you make it for your users to use your stuff, the more users you'll loose, and fast. Mostly thanks to MS and Apple, computer users today know very little about their computers, or how they work, or how they protect themselves, and we teach them that they should all and anything that comes their way. So it's continuingly limited what you can actually ask a computer user to put up with, they'll just go somewhere else that's less hazzlesome (that's the whole reason the majority use IE: It's there, it's easy to use, it gets the job done, and it doesn't complain a whole lot). The majority of end-users don't care, or know, or understand, simple security precautions when it comes to network traffic. Education and discipline is, in the end, the only means to achieve what you want. /rambling off -- Rene Brehmer aka Metalbunny We have nothing to fear from free speech and free information on the Internet, but pop-up advertising! http://metalbunny.net/ My little mess of things... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
