RE: Winnt/Win2k Vuln ?

From: Louis-Eric Simard (Louis-Eric@Simard.com)
Date: 08/12/01


Message-Id: <5.0.2.1.0.20010812023549.039490d0@getmail.simard.com>
Date: Sun, 12 Aug 2001 02:49:05 -0400
To: <vuln-dev@securityfocus.com>
From: Louis-Eric Simard <Louis-Eric@Simard.com>
Subject: RE: Winnt/Win2k Vuln ?

At 09:51 PM 11/08/2001 -0700, David Schwartz wrote:

>Louis-Eric Simard wrote:
>
> > The major distinction here should one of action-domain constraints;
>
> Exactly.
>
> > As we are limited by the fact that the shoddy name space is now
> > prevalent,
> > then context needs to be taken into account. As one types in a
> > URL without
> > specifying the underlying protocol (http:// or file://), there
> > should be no
> > ambiguity that the expected protocol is http, just as we do not naturally
> > expect file system requests to be carried over the web. The fix is in
> > filling-in missing protocol details, within logical usage
> > contexts, before
> > the request allocator gets a chance to goof it up.
>
> For the record, I have submitted complaints/requests to the
> coders of both
>IE and Netscape arguing that, for example, 'ftp.microsoft.com' should be
>interpreted as 'http://ftp.microsoft.com' and not 'ftp://ftp.microsoft.com'
>(and analogously, the brower should not try to figure out what the user
>meant (ESP?) but should have a consistent default). I was basically laughed
>at by both Microsoft and Netscape.
>
> I don't think it's unreasonable to have different operating modes
> where
>different defaults take place. For example, when acting as a 'file manager',
>file:// can be the default protocol. However, IMO, in ALL cases, the
>fully-qualified URL of the site/file you wind up at MUST be shown to the
>user. It is a serious error to abbreviate the displayed URL as IE does. I do
>not believe Netscape does this.
>
> DS

Right. The other consequence of the muddled/"guessed" semantics is that
misspelled, URL-less filenames (those, by lieu of their misspelling, not
found on the drive), end up as keyword queries (in IE, to
auto.search.msn.com; in Netscape, in a less ususal scenario [eg, mistyping
in a way that causes the filename period to be missing]) transmitted in the
clear, opening up some privacy/confidentiality/security problems.

Having distinct access tools for distinct information domains solves, on
the surface, this problem (less so when you bring plug-ins, web-enriched
directories, shared protocols, etc. into the picture), but limits the
possibilities for conversant data access; going for multi-domain access
using unified tools requires that some intelligence be injected into the
process. Both cases would require more responsible engineering than what we
have now.

Cheers,

  + Louis-Eric Simard
    The Freedom Factory, Inc.



Relevant Pages

  • links open the wrong browser
    ... An old version of Netscape. ... I recently installed Firefox, and use it as the primary internet ... pops up the Netscape browser. ... 'Call to Protocol', ...
    (microsoft.public.windowsxp.general)
  • email links open with the wrong browser
    ... An old version of Netscape. ... I recently installed Firefox, and use it as the primary internet ... pops up the Netscape browser. ... 'Call to Protocol', ...
    (microsoft.public.windowsxp.basics)
  • Re: links open the wrong browser
    ... > 1) An old version of Netscape. ... If I access a link to a URL from Firefox, ... > pops up the Netscape browser. ... > 'Call to Protocol', ...
    (microsoft.public.windowsxp.general)