[WEB SECURITY] Closing web sites due to legislation

Pavol Luptak pavol.luptak at nethemba.com
Thu May 31 17:31:32 EDT 2012

Hi all,

On Wed, May 23, 2012 at 11:55:14PM +0300, MustLive wrote:
> now, but we'll see after 26th of May 2012). But there is another aspect.
> Security aspect of this law.
> There is a connection between EU Cookie Law and security of web sites (this
> is main reason for writing this article). If web site will be hacked and
> cookies will be set for visitors silently (automatically), then this site
> can be fined - even if by default this site are compliant to EU law (asks
> before setting cookies).

That's one of the reasons why I don't like this new EU law. It can be easily
exploited - innocent people can be fined (criminalized) just because they were 
hacked (and you cannot force people to care about their security just because
we do it most of our lives).

I am completely aware of the fact that most security people (that care about
personal privacy) would consider this law to be a good and necessary one.
Potential advantages of this law are clear to most people, but let's talk 
about a negative impact of this "great" EU law:

If you want to have this EU regulation - it means:

- increased expenses for the web application owners, because they need to 
change their applications according to this new EU law 

- a lot of money from our taxes - because someone in the EU must to enforce 
this law, to check if all websites are compliant according to this law, 
to notify them if not and to sue them finally

This law strongly affects Internet users' freedom -> if most people have no 
problem to access the most web sites without specific "cookie" consent and do 
it fully voluntarily, you have no moral right to force web applications owners 
to increase their expenses and change their applications and steal another 
money from taxpayers to force this law (which can be quite expensive), just 
because you think that these people do not care about their personal privacy 
and they should.

I do care about my privacy a lot (and I think other people should care too), 
but this EU regulation/law means "global enforcing" for all people (including
those ones who do not care about their privacy at all and very often they are
aware of it).

So if someone thinks that people should care about their Internet privacy,
he should use non-invasive ways to promote it (e.g. make security-awareness 
videos, web sites and), but he has no moral right to enforce this kind of EU 
for all EU citizens using their taxpayer money, just because he thinks that 
people deserve much more privacy.

Imagine this hypothetical situation:

This EU regulation would cost us e.g. one million € every year. 

Every EU citizen could decide voluntarily if he wants to pay another 50 cents 
for every "safe" web site he accesses where it is guaranteed that he has to 
give "explicit consent" for everything or if he wants to access to "current" 
web site where there are no such guarantees (just a reputation of the given 
website / website's owners).

And now guess how the most people would decide :)

> So vulnerabilities at any web site can be used to expose it to fines in EU
> due to this law. It can be as serious vulnerabilities, which leaded to full
> compromise of this site, or Cross-Site Scripting (as persistent XSS, as even
> reflected XSS) or HTTP Response Splitting vulnerabilities. Because it's
> possible to set cookies via XSS and HTTPRS vulnerabilities - which makes
> these sites to not correspond to new law. So those web sites with IBM Domino
> with multiple XSS and HTTPRS vulnerabilities, which I've announced last
> week, are falling to the risk of fines (besides all other risks). So this
> law is a good reason for web sites to improve their security.

But security is often expensive. And if you have a complex website of some
NGO/NPO without any profit, you cannot force them to invest any money to 
security. For them it is often more acceptable to have few hacks per year 
and manage it internally than invest a lot of money to improve their security. 
Security has to be (primarily) cost-effective.

[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4792 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20120531/9d611f7c/attachment.p7s>

More information about the websecurity mailing list