X-FRAME Denied

Facebook, Twitter, and many other popular websites claim that they protect users from clickjacking attacks by including the “X-FRAME-OPTIONS:DENY” tag that prevents browsers from hiding links in invisible frames. This sounds like a great step forward, but does it really help that much?

Including the tag is pretty much the best thing that a website can do to protect internet users from clickjack attacks, but it certainly does not protect everyone. This tag only works in conjunction with the latest browsers. If you’re using IE 8, Chrome 2, or Safari 4, then you’re probably in good shape. If you’re using an older version of these web browsers, then you are susceptible to clickjack attacks. Currently, the latest edition of Firefox does not even acknowledge the tag. Firefox does plan to improve security by recognizing the tag in future versions. Plus, Firefox has the optional NoScript plug-in that can help prevent clickjacks.

The point here isn’t that Facebook, Twitter, and other sites aren’t doing what is in their power to prevent clickjacks. The point is that it’s dangerous for them to make claims that aren’t true for many visitors. Including the “X-FRAME-OPTIONS:DENY” tag does qualify as improved security, but putting this at the center of your security-focused marketing encourages people to feel safer than they really are.

It’s not necessarily inaccurate. It’s not even necessarily disingenuous. But it is dangerous for the millions of people who use Firefox and older browsers. Many of them think that they are protected from clickjacking, but the truth is that they are victims in waiting.

Advertisements
Explore posts in the same categories: Uncategorized

Tags: , , , , , , , , , , ,

You can comment below, or link to this permanent URL from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: