OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: HTTP in practice

Re: HTTP in practice


Marcus J. Ranum (mjrnfr.net)
Tue, 23 Sep 1997 23:50:11 +0000


> Hmmm. Any examples of what you'd consider one of these "bad URLs" to look
> like? We try to be pretty friendly URL-wise.

URLs with '|', ';', '>', '..', '*' and other metacharacters
are probably not a good idea.

I'll tread on dangerous ground here by admitting that
I've never read the HTTP standards to see if those are
legitimate components of a URL. In a sense it doesn't
matter, though, because the presence of those
metacharacters is a danger sign and indeed there
have been several security flaws related to servers and
browsers incorrectly handling them. So a firewall might
decide to do the smart thing by zapping them out of
the URL in some manner.

> > You could do something like encode your data
> >in a "harmless" encoding that the firewall won't look into.

I was thinking of encryption when I wrote the preceeding. :)
If I were an application developer writing something that
I didn't want people's firewalls to mess with, I think I'd make
it encrypt its data or uuencode it or something.

> And, of
> course, we thought we were being good citizens using application/x-eRoom
> rather than, say, image/gif.

Yes, I think you win a good citizenship award for that.
It means, however, that (unless your mystery app is very
cool and useful, and wotnot) someone will be ordered
by management to screen that mime type at the firewall.
But hopefully (if your mystery app is very cool and
useful) they'll be a minority.

> What I was really asking was more akin to: How often can exceptions be
> expected in (for instance) proxy rules such that may allow <OBJECT> tags
> from a particular host?

Very hard to answer. It really depends on how cool and
useful your mystery app is!

>From a security perspective that is the reality we deal with:
security takes second place to cool and useful. It often
comes in behind merely cool. Heck, the web wouldn't
have happened the way it did if security wonks' objections
had not been ruthlessly crushed by senior managers
surfin' on a wave of hype... I remember the pitiful screams
of the firewall managers of yore: "http sucks! ftp is good
enough..!" I was one of them. The fact that we were right
is moot.

> (I know ActiveX is seen as a great evil. In fact, I don't entirely
> disagree, especially when it concerns downloading controls over the 'Net.
> I'll just reiterate, we don't download ActiveX. Our components are
> pre-installed. As such, we're basically in the same boat as any other
> COM-based object on a Windows system. For whatever benefit that may be
> worth.)

Well it's a good thing and it may help you -- but right now I
think ActiveX has a "perception problem" that may bite you.
Or at least it'll chew on you a little. Maybe this is something
you can address in your marketing? ("secure local loading
of ActiveX applets makes them tamper proof against attack
over the Internet")
 
> And this goes along with my question to some degree. Do we face a greater
> obstacle because we're browser- and web-server-based, rather than if we had
> crafted our own server and protocol and released proxy code?

I'd say definitely you're better off. If you wrote your own thing
from scratch you'd still have resistance from people AND it'd
be harder for them to play with. In today's industry, where everyone
has a nanosecond attention span, easy to play with rates higher
on the product survival value scale than security.

> (None of this is to say I don't understand. I responded an ardent "No" to
> requests to make ICQ available recently, for instance.)

Ditto. I couldn't see how they do the bit where they send a URL
to someone and it pops their browser. It might be possible to
trigger someone to go to a page with a hostile activeX applet
or something, automatically.

There's a subtle (and pernicious) security implication hidden
in things like ICQ: all the users are on Windows. If you're a Bad Guy
and you're going after someone on ICQ you can be about 90%
certain their on W95. 8% certain it's NT. Solves a lot of the
portability problems in writing attack applets. I'm starting to get
crazy in my old age and am increasingly afraid that the Windows
juggernaut is going to kill us through lack of biodiversity against
future bugs and worms.

mjr.
-----
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
<A HREF=http://www.clark.net/pub/mjr>Personal</A>
<A HREF=http://www.nfr.net>Work</A>
<A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT