Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?
This is your opportunity to ask questions. No question too simple or too silly.
Culture war topics are accepted, and proposals for a better intro post are appreciated.
Jump in the discussion.
No email address required.
Notes -
You gotta understand the zero-day market a little to understand how that works.
Ideally, it's impossible for just loading a webpage to do anything bad. Web browsers are massively complex pieces of software though, and they basically all have lots of bugs that render the situation non-ideal. Web browser vendors make active efforts to be aware of any such bugs as quickly as possible, and patch them and get those patches out as quickly as possible, hence things like Chrome's rapid update rate. A "zero-day" bug/exploit basically means a way to escape the web browser sandbox that the browser vendors / security community are not aware of yet. Once they are aware of them, they are often patched within days or hours.
Creating new exploits is very difficult and highly valuable due to how useful they can be against the right targets. But since efforts to discover exploits actively in use and patch the bugs they use are so active, it is also valuable to those who create and own them to not use them too widely - as soon as the right person notices them, they can be patched very fast, making that one worthless. They are generally created by national intelligence agencies, some shady companies and less scrupulous individuals, and may be either sold back to browser vendors, for 5-6 figure sums, or to those companies, criminal gangs, etc for probably similar or higher sums. It is to the benefit of such entities to not use them too widely, since they'll be worthless as soon as the wrong person notices them, so they're usually used in highly targeted attacks against specific individuals, and engineered to not be deployed unless the situation is right. Wider targeting probably only happens as a last-ditch effort to get a little more value out of something already patched, hoping to catch some users who haven't updated their browsers yet with a low-value but wide-net attack.
So ideally just going to a website shouldn't hurt anything, but it's probably good advice not to. Because 1. It does leak some information no matter what, 2. Less sophisticated users, or just people who are tired or distracted, can surprisingly often be tricked into entering credentials into phishing sites, and 3. You never know when you might be targeted for attack by something nasty, or not be the intended target but get it anyways, or just be the guy who had the bad luck to have the browser auto-patch run a little later than usual.
More options
Context Copy link