Full Disclosure mailing list archives
RE: IE is just as safe as FireFox
From: "joe" <mvp () joeware net>
Date: Fri, 19 Nov 2004 10:51:43 -0500
Autoconfig script may enumerate hosts which don't require a proxy. Usually there are a very few intranet servers in corporate network.
You should have prefixed "there are very few... " with one of two things 1. Relative to the internet... 2. In my experience... I have been on several large corporate networks where there are hundreds or thousands of intranet web servers hosting tens of thousands of sites. Many large enterprise class companies are moving whole hog to web based apps internally (even email) and all available content is on the internal web. This is actually the area where IE is so strongly embedded due to its application interfaces and what MS has been building towards for so long with it. If you look at this space and compare how firefox renders/operates next to IE you will see why many companies chose IE as their official browser even in the face of having more exposure due to security. A lot of that depends on how the web site is designed/built but there is a lot of functionality there that can only be reached (and thereby exploited) on IE. There are companies whose primary LOB applications internally are on IIS servers and can only be accessed with IE. In those cases it isn't a simple pick up and replace the browser scenario.
More, I consider IE feature to ignore proxy for LAN hosts may be dangerous. Imagine a worm which spreads by this algorithm: it launches HTTP service on victim host, lures user at another PC to open URL pointing to victim, then launches on target PC. The fact as previosly affected host is situated in Local intranet zone, significantly facilitates worm spreading.
I wouldn't really call that a worm. Worms work without interaction. They are self-propagating/replicating. Malware that spreads that requires user interaction would generally just be called a virus. Overall trying to push intranet users accessing intranet content through a proxy to sanitize web pages would be unsatisfactory because it couldn't fully be enforced since the content is available right there on the intranet. Someone could do some form of offline gather or use many different tools to get the data so forcing firefox or IE to go to a specific proxy does nothing for you. You would have to put the intranet servers behind some sort of firewall that you would have to access them though. Plus you obviously have to scale the proxy to a completely different level if processing all intranet requests as well as internet requests. joe -- Pro-Choice Let me choose if I even want a browser loaded thanks! -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Raoul Nakhmanson-Kulish Sent: Friday, November 19, 2004 5:01 AM To: Esmond; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] IE is just as safe as FireFox Hello, Esmond! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: IE is just as safe as FireFox, (continued)
- Re: IE is just as safe as FireFox Curt Purdy (Nov 14)
- RE: IE is just as safe as FireFox Todd Towles (Nov 12)
- RE: IE is just as safe as FireFox Rafel Ivgi, The-Insider (Nov 13)
- RE: IE is just as safe as FireFox Stuart Fox (DSL AK) (Nov 15)
- Re: IE is just as safe as FireFox stephane nasdrovisky (Nov 16)
- RE: IE is just as safe as FireFox joe (Nov 17)
- IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 18)
- Message not available
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 18)
- Message not available
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 18)
- Message not available
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 19)
- RE: IE is just as safe as FireFox joe (Nov 19)
- Re: IE is just as safe as FireFox Vincent Archer (Nov 19)
- Re: IE is just as safe as FireFox bkfsec (Nov 20)
- Re: IE is just as safe as FireFox stephane nasdrovisky (Nov 16)
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 22)
- RE: IE is just as safe as FireFox joe (Nov 25)
- Re: IE is just as safe as FireFox DanB UK (Nov 25)
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 27)
- Message not available
- Message not available
- Message not available
- Re: IE is just as safe as FireFox Raoul Nakhmanson-Kulish (Nov 19)
- RE: IE is just as safe as FireFox Gary E. Miller (Nov 16)