Vulnerability Development mailing list archives
RE: Winnt/Win2k Vuln ?
From: Louis-Eric Simard <Louis-Eric () Simard com>
Date: Sun, 12 Aug 2001 02:49:05 -0400
At 09:51 PM 11/08/2001 -0700, David Schwartz wrote:
Louis-Eric Simard wrote: > The major distinction here should one of action-domain constraints; Exactly. > As we are limited by the fact that the shoddy name space is now > prevalent, > then context needs to be taken into account. As one types in a > URL without > specifying the underlying protocol (http:// or file://), there > should be no > ambiguity that the expected protocol is http, just as we do not naturally > expect file system requests to be carried over the web. The fix is in > filling-in missing protocol details, within logical usage > contexts, before > the request allocator gets a chance to goof it up.For the record, I have submitted complaints/requests to the coders of bothIE and Netscape arguing that, for example, 'ftp.microsoft.com' should be interpreted as 'http://ftp.microsoft.com' and not 'ftp://ftp.microsoft.com' (and analogously, the brower should not try to figure out what the user meant (ESP?) but should have a consistent default). I was basically laughed at by both Microsoft and Netscape.I don't think it's unreasonable to have different operating modes wheredifferent defaults take place. For example, when acting as a 'file manager', file:// can be the default protocol. However, IMO, in ALL cases, the fully-qualified URL of the site/file you wind up at MUST be shown to the user. It is a serious error to abbreviate the displayed URL as IE does. I do not believe Netscape does this. DS
Right. The other consequence of the muddled/"guessed" semantics is that misspelled, URL-less filenames (those, by lieu of their misspelling, not found on the drive), end up as keyword queries (in IE, to auto.search.msn.com; in Netscape, in a less ususal scenario [eg, mistyping in a way that causes the filename period to be missing]) transmitted in the clear, opening up some privacy/confidentiality/security problems.
Having distinct access tools for distinct information domains solves, on the surface, this problem (less so when you bring plug-ins, web-enriched directories, shared protocols, etc. into the picture), but limits the possibilities for conversant data access; going for multi-domain access using unified tools requires that some intelligence be injected into the process. Both cases would require more responsible engineering than what we have now.
Cheers, + Louis-Eric Simard The Freedom Factory, Inc.
Current thread:
- Re: Winnt/Win2k Vuln ?, (continued)
- Re: Winnt/Win2k Vuln ? martin . goudreault (Aug 10)
- Re: Winnt/Win2k Vuln ? Meritt James (Aug 10)
- RE: Winnt/Win2k Vuln ? David Schwartz (Aug 10)
- Re: Winnt/Win2k Vuln ? Meritt James (Aug 10)
- Re: Winnt/Win2k Vuln ? Ben Ford (Aug 10)
- Re: Winnt/Win2k Vuln ? Kevin Gagel (Aug 10)
- Re: Winnt/Win2k Vuln ? Meritt James (Aug 10)
- Re: Winnt/Win2k Vuln ? martin . goudreault (Aug 10)
- Re: Winnt/Win2k Vuln ? Ben Ford (Aug 10)
- RE: Winnt/Win2k Vuln ? David Schwartz (Aug 11)
- RE: Winnt/Win2k Vuln ? Louis-Eric Simard (Aug 12)
- RE: Winnt/Win2k Vuln ? David Schwartz (Aug 12)
- RE: Winnt/Win2k Vuln ? Louis-Eric Simard (Aug 12)
- RE: Winnt/Win2k Vuln ? David Schwartz (Aug 11)
- Re: Winnt/Win2k Vuln ? sween (Aug 13)
- Re: Winnt/Win2k Vuln ? J. Bol (Aug 14)