[owasp-intrinsic-security] Microsoft Web Sandbox

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu Jan 29 12:09:12 EST 2009


You're going to have to pony up an answer here. You're suggesting that
they're testing out how the practicality of doing something in a
platform that has X more features and Y more capabilities then the goal
platform. It's like saying, "I'm testing the effectiveness of killing a
deer with a sniper rifle", when in the real-life scenario all you're
going to have is your bare hands. No __defineSetter__ in WPF, am I
missing something?

Arshan

-----Original Message-----
From: Robert Hansen [mailto:robert at sectheory.com] 
Sent: Thursday, January 29, 2009 11:52 AM
To: Arshan Dabirsiaghi; me at alexsmolen.com;
owasp-intrinsic-security at lists.owasp.org
Subject: RE: [owasp-intrinsic-security] Microsoft Web Sandbox


	Again, think logic, don't think Silverlight.  This isn't about
Silverlight, they're just using that as a test platform.

Robert Hansen, CISSP
CEO -- SecTheory LLC
Cell: (530) 521-2542
FAX: (512) 628-6299

-----Original Message-----
From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi at aspectsecurity.com] 
Sent: Thursday, January 29, 2009 7:27 AM
To: Robert Hansen; me at alexsmolen.com;
owasp-intrinsic-security at lists.owasp.org
Subject: RE: [owasp-intrinsic-security] Microsoft Web Sandbox

I doubt a Silverlight solution can reliably be translated to JavaScript.
There's a huge different between the capabilities of a Silverlight
client plugin and traditional ECMA, and we should be fighting against
proprietary solutions. And FTR, mashup security is the biggest picture,
at least IMO, but AFAIK IANAL BBQ.
 
Arshan
 
________________________________

From: Robert Hansen [mailto:robert at sectheory.com]
Sent: Wed 1/28/2009 11:57 PM
To: Arshan Dabirsiaghi; me at alexsmolen.com;
owasp-intrinsic-security at lists.owasp.org
Subject: RE: [owasp-intrinsic-security] Microsoft Web Sandbox


Not to speak on behalf of MS on this one but the whole point of this
project is to test the practicality of transporting the logic into a
future version of the browser.  I talked with the head developer for
this project (also one of the head devs for the original versions of all
the major scripting versions within IE - that's no coincidence).  He's a
smart dude.  This isn't at all about Silverlight or mashups, there's a
much bigger picture here - think content restrictions.

**sent from cell phone**

Robert Hansen, CISSP
CEO -- SecTheory LLC
Cell: (530) 521-2542
FAX: (512) 628-6299

-----Original Message-----
From: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
Sent: Wednesday, January 28, 2009 8:13 PM
To: me at alexsmolen.com <me at alexsmolen.com>;
owasp-intrinsic-security at lists.owasp.org
<owasp-intrinsic-security at lists.owasp.org>
Subject: Re: [owasp-intrinsic-security] Microsoft Web Sandbox

I think this is a cool but wrong approach. I think we need to build a
sandbox policy for JavaScript and anything else is a hack, frankly.
Something standardized by ECMA.
 
Does anyone think a Silverlight plugin is going to solve mashup
security? Not to pooh pooh this, I'm sure this research is generating a
lot of awesome information, but we need a comprehensive solution.
 
Arshan

________________________________

From: owasp-intrinsic-security-bounces at lists.owasp.org on behalf of Alex
Smolen
Sent: Wed 1/28/2009 7:57 PM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] Microsoft Web Sandbox


Did you all see this?

http://livelabs.com/web-sandbox/

It's an attempt to add a security layer onto the web platform and
support mashups. It looks like it's driven through Silverlight.

Alex



More information about the owasp-intrinsic-security mailing list