Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: More Internet Explorer zone confusion

Re: More Internet Explorer zone confusion

Christopher Masto (chrisNETMONGER.NET)
Tue, 9 Mar 1999 01:59:08 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tilman Schmidt: "Re: More Internet Explorer zone confusion"
Previous message: Jeremie: "Re: More Internet Explorer zone confusion (new issue)"
In reply to: Paul Leach: "Re: More Internet Explorer zone confusion"

Is this intranet zone thing _really_ of any value?  Why is there a
built-in default assumption that something from a "local" server is
more trustworthy?  Consider the following situations:

1. A customer of your ISP, netmonger.net, is evil.  They have a page
   that links or redirects to http://www/~evil/evil.html, taking
   advantage of the fact that your machine is configured with your
   ISP's domain in the search list.

2. You go to school at RPI.  You have a dorm ethernet connection.
   Your machine is naive.dorm.rpi.edu, and you have dorm.rpi.edu
   in your domain search list.  An evil person gets evil.dorm.rpi.edu,
   and you know the rest.

3. You work at Giganticorp and have access to high-level trade secrets.
   Giganticorp has an intranet where employees can put up their own
   web pages.  An evil employee takes advantage of the default security
   settings to gain access to your secrets, which he sells to the
   competition.

Numbers 1 and 2 ask the question, "Why are we assuming that a
non-qualified host name implies intranet implies trust?"  Number 3
asks the question, "Why are we assuming that intranet implies trust?"
Another question is "How many people who use IE have no intranet?"
Considering that there are a quantity of tools available to deploy
IE at your company with preconfigured settings, why not default to
not having this intranet zone.  If Giganticorp needs to turn down
the security, they can do so at the same time they're customizing
the rest of the settings.

I don't personally use Microsoft products, and I am not quite familiar
with the specific security precautions that are disabled for the
intranet zone, but if they're enough to cause concern on the Internet,
the same problems can occur even when the browser isn't malfunctioning
at all.
--
Christopher Masto        Director of Operations      NetMonger Communications
chrisnetmonger.net        infonetmonger.net        http://www.netmonger.net

Free yourself, free your machine, free the daemon -- http://www.freebsd.org/

Next message: Tilman Schmidt: "Re: More Internet Explorer zone confusion"
Previous message: Jeremie: "Re: More Internet Explorer zone confusion (new issue)"
In reply to: Paul Leach: "Re: More Internet Explorer zone confusion"