|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Evil Cookies.
From: Tim Adam (tma
OSA.COM.AU)Date: Tue Feb 08 2000 - 17:11:40 CST
- Next message: Craig Brozefsky: "Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0"
- Previous message: Julian Midgley: "Zeus Web Server: Null Terminated Strings"
- Maybe reply: Tim Adam: "Re: Evil Cookies."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dylan Griffiths wrote:
> Thomas Reinke wrote:
> > There is no easy patch to this problem. The only solution I
> > can think of, which is not an easy one, would be to have browsers
> > have intimate knowledge of what constitutes an organization's
> > "domain of influence", and limit cookies accordingly. This
> > is essentially impossible to implement.
>
> > (Consider domain.city.state.country - where is the allowable
> > domain of influence here? Probably 4 levels deep, but how
> > to indicate this to the browser).
>
> Perhaps this would be an exercise best left up to the user, as there is
> currently no way to indicate the scope of the authority (harmless TLD,
> country, normal domain, etc) in the DNS system.
A similar problem existed in WPAD (Web Proxy Auto-Discovery)
for IE 5.0: see MS Security Bulletin MS99-054 at
http://www.microsoft.com/technet/security/bulletin/ms99-054.asp
The browser was walking up the DNS hierarchy looking for the name wpad,
in some cases making queries outside the organization's trust boundary.
Tim.
-- Tim Adam Tim.Adam
- Next message: Craig Brozefsky: "Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0"
- Previous message: Julian Midgley: "Zeus Web Server: Null Terminated Strings"
- Maybe reply: Tim Adam: "Re: Evil Cookies."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]