Vulnerability Development mailing list archives
RE: Winnt/Win2k Vuln ?
From: "David Schwartz" <davids () webmaster com>
Date: Sat, 11 Aug 2001 21:51:13 -0700
Louis-Eric Simard wrote:
The major distinction here should one of action-domain constraints;
Exactly.
As we are limited by the fact that the shoddy name space is now prevalent, then context needs to be taken into account. As one types in a URL without specifying the underlying protocol (http:// or file://), there should be no ambiguity that the expected protocol is http, just as we do not naturally expect file system requests to be carried over the web. The fix is in filling-in missing protocol details, within logical usage contexts, before the request allocator gets a chance to goof it up.
For the record, I have submitted complaints/requests to the coders of both IE and Netscape arguing that, for example, 'ftp.microsoft.com' should be interpreted as 'http://ftp.microsoft.com' and not 'ftp://ftp.microsoft.com' (and analogously, the brower should not try to figure out what the user meant (ESP?) but should have a consistent default). I was basically laughed at by both Microsoft and Netscape. I don't think it's unreasonable to have different operating modes where different defaults take place. For example, when acting as a 'file manager', file:// can be the default protocol. However, IMO, in ALL cases, the fully-qualified URL of the site/file you wind up at MUST be shown to the user. It is a serious error to abbreviate the displayed URL as IE does. I do not believe Netscape does this. DS
Current thread:
- RE: Winnt/Win2k Vuln ?, (continued)
- RE: Winnt/Win2k Vuln ? JKlemenc (Aug 10)
- Re: Winnt/Win2k Vuln ? martin . goudreault (Aug 10)
- Re: Winnt/Win2k Vuln ? Meritt James (Aug 10)
- RE: Winnt/Win2k Vuln ? David Schwartz (Aug 10)
- Re: Winnt/Win2k Vuln ? Meritt James (Aug 10)
- Re: Winnt/Win2k Vuln ? Ben Ford (Aug 10)
- Re: Winnt/Win2k Vuln ? Kevin Gagel (Aug 10)
- Re: Winnt/Win2k Vuln ? Meritt James (Aug 10)
- Re: Winnt/Win2k Vuln ? Ben Ford (Aug 10)
- RE: Winnt/Win2k Vuln ? David Schwartz (Aug 11)
- RE: Winnt/Win2k Vuln ? Louis-Eric Simard (Aug 12)
- RE: Winnt/Win2k Vuln ? David Schwartz (Aug 12)
- RE: Winnt/Win2k Vuln ? Louis-Eric Simard (Aug 12)
- RE: Winnt/Win2k Vuln ? David Schwartz (Aug 11)
- Re: Winnt/Win2k Vuln ? sween (Aug 13)
- Re: Winnt/Win2k Vuln ? J. Bol (Aug 14)