[WEB SECURITY] Closing web sites due to legislation

MustLive mustlive at websecurity.com.ua
Tue Jun 12 16:50:23 EDT 2012 

Pavol and guys!

Here are some more comments concerning your thoughts on this topics. Thanks,
you've wrote a lot of comments, so I need to comment many of the most
important ones. This is second letter and later I'll write more ;-). And
besides comments, I'll write concerning more examples of laws and their
relation to security.

> (and you cannot force people to care about their security just because we
> do it most of our lives).

I agree with all your argumentation, Pavol (those aspects which you referred 
to security, similarly can be referred to privacy). Just will add the note 
concerning forcing people.

>From one side, forcing is not very acceptable way, but from other side it's
needed to remind people - to change current nihilistic situation. And in my
opinion for security it must be more active, then for privacy. So forcing
people, in non-aggressive and peaceful way, i.e. by reminding (like
reminding about holes at websites or in webapps, as I'm doing for more then
7 years) can and should be done. And much more for security, then privacy
(and this EU law concerns only privacy, so "as always they forgot about
security").

For example if EU legislators will make situation with much better security
of web sites in EU, then there will be much less possibilities for exposing
web sites (and their owners) for fines after their hacks. As you see correct
order (first security and then privacy) can make situation better and with
less pitfalls (but EU legislators just forget about security and
over-concentrated on privacy). In other words, forcing can and should be
done (only positive one), especially concerning improving security - and it
can be done without any additional laws (even without this EU law), but with
current legislation. In my next letters, when I'll be showing different
examples of current legislation and cases of using these laws (in Ukraine
and USA), I'll write more about it.

> And now guess how the most people would decide :)

Yes, it's nice example and the results is predictable :-). This is the case
when usability (and "don't make a pain in a head"-ability) wins over
privacy. But similar situation we have in case of usability vs. security (in
most cases in different applications, especially in webapps). Situation with
captcha is one of the well-known.

Interesting rhetorical question: does any country in EU can to not implement
this law, because of "not well-thought law", "people are protesting" or
"there are no money for implementation" (aka "financial crisis"). I
understand that it's obligatory for every member of EU (I've wrote it
rhetorically), but anyway some prudence can be made, like it was done in UK.
So I wish for every country in EU to implement this law harmlessly. And
there are a lot of other interesting laws, about which I'll write soon.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Pavol Luptak" <pavol.luptak at nethemba.com>
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: <websecurity at lists.webappsec.org>
Sent: Friday, June 01, 2012 12:31 AM
Subject: Re: [WEB SECURITY] Closing web sites due to legislation


Hi all,

On Wed, May 23, 2012 at 11:55:14PM +0300, MustLive wrote:
> now, but we'll see after 26th of May 2012). But there is another aspect.
>
> Security aspect of this law.
>
> There is a connection between EU Cookie Law and security of web sites
> (this
> is main reason for writing this article). If web site will be hacked and
> cookies will be set for visitors silently (automatically), then this site
> can be fined - even if by default this site are compliant to EU law (asks
> before setting cookies).

That's one of the reasons why I don't like this new EU law. It can be easily
exploited - innocent people can be fined (criminalized) just because they
were
hacked (and you cannot force people to care about their security just
because
we do it most of our lives).

I am completely aware of the fact that most security people (that care about
personal privacy) would consider this law to be a good and necessary one.
Potential advantages of this law are clear to most people, but let's talk
about a negative impact of this "great" EU law:

If you want to have this EU regulation - it means:

- increased expenses for the web application owners, because they need to
change their applications according to this new EU law

- a lot of money from our taxes - because someone in the EU must to enforce
this law, to check if all websites are compliant according to this law,
to notify them if not and to sue them finally

This law strongly affects Internet users' freedom -> if most people have no
problem to access the most web sites without specific "cookie" consent and
do
it fully voluntarily, you have no moral right to force web applications
owners
to increase their expenses and change their applications and steal another
money from taxpayers to force this law (which can be quite expensive), just
because you think that these people do not care about their personal privacy
and they should.

I do care about my privacy a lot (and I think other people should care too),
but this EU regulation/law means "global enforcing" for all people
(including
those ones who do not care about their privacy at all and very often they
are
aware of it).

So if someone thinks that people should care about their Internet privacy,
he should use non-invasive ways to promote it (e.g. make security-awareness
videos, web sites and), but he has no moral right to enforce this kind of EU
for all EU citizens using their taxpayer money, just because he thinks that
people deserve much more privacy.

Imagine this hypothetical situation:

This EU regulation would cost us e.g. one million € every year.

Every EU citizen could decide voluntarily if he wants to pay another 50
cents
for every "safe" web site he accesses where it is guaranteed that he has to
give "explicit consent" for everything or if he wants to access to "current"
web site where there are no such guarantees (just a reputation of the given
website / website's owners).

And now guess how the most people would decide :)

> So vulnerabilities at any web site can be used to expose it to fines in EU
> due to this law. It can be as serious vulnerabilities, which leaded to
> full
> compromise of this site, or Cross-Site Scripting (as persistent XSS, as
> even
> reflected XSS) or HTTP Response Splitting vulnerabilities. Because it's
> possible to set cookies via XSS and HTTPRS vulnerabilities - which makes
> these sites to not correspond to new law. So those web sites with IBM
> Domino
> with multiple XSS and HTTPRS vulnerabilities, which I've announced last
> week, are falling to the risk of fines (besides all other risks). So this
> law is a good reason for web sites to improve their security.

But security is often expensive. And if you have a complex website of some
NGO/NPO without any profit, you cannot force them to invest any money to
security. For them it is often more acceptable to have few hacks per year
and manage it internally than invest a lot of money to improve their
security.
Security has to be (primarily) cost-effective.

Pavol
-- 
______________________________________________________________________________
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel:
+421905400542]

More information about the websecurity mailing list