Re: Corporate policies on web mail services like Hotmail?

From: those who know me have no need of my name (not-a-real-address@usa.net)
Date: 12/06/02 

From: those who know me have no need of my name <not-a-real-address@usa.net>
Date: 06 Dec 2002 03:47:21 GMT

in comp.security.misc i read:

>I am an infosec type at a US corporation and have been asked for some
>input into whether we should be allowing users of our network to access
>webmail servers like YahooMail and HotMail. On the one hand, I see the
>risks - filters for JavaScript and HTML are not perfect and may result in
>code being executed on the client. Attachments in webmail messages are
>not processed by the gateway virus checker we have in place. On the other
>hand, are these risks that much greater than those posed by users visiting
>any other web site?

the difference being that hotmail and yahoo webmail is targeted, whereas
j.random web site isn't. popular web sites are also targeted, but most
often they are de-faced rather than subverted. (note that i say `most
often'.)

if you want to allow your employees to conduct their personal business on
company time (and there are many that believe this is a good thing) and you
can interpose a pop3 proxy that can perform the scanning you would for
company mail then you might consider requiring them to use pop3 access
instead, which means they'd need to pay a bit for the upgraded service.
(hmm, actually i'm not sure that hotmail still has that option.) 

-- 
bringing you boring signatures for 17 years

Relevant Pages

  • Re: security in internet explorer/hotmail
    ... web site and that it scans your email attachments. ... Windows Update after trying to reinstall Internet Explorer first to see it that helps ... high and then place your known safe/trusted sites into the trusted zone where you set ... When I access my msn account or hotmail, ...
    (microsoft.public.win2000.security)
  • Re: Cross site scripting in almost every mayor website
    ... I have successfully created a worm and tested it ... You do have full access to the DOM of Hotmail ... > prevent XML generation of HTML alltogether. ... Hotmail and on almost every webmail, ...
    (Bugtraq)
  • Re: Cross site scripting in almost every mayor website
    ... yahoo tries to filter them out even if they appear inside the <xml> ... > Subject: Re: Cross site scripting in almost every mayor website ... > You do have full access to the DOM of Hotmail ... > Hotmail and on almost every webmail, ...
    (Vuln-Dev)
  • Re: New version of hotmail
    ... ~Robear Dyer ... > when I launched OE the hotmail.com web site was opened as a web page. ... Internet options and set the default program for hotmail. ... >> browndk26 wrote: ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Cant Send Email
    ... Cutoff for DAV access to Hotmail ends on September 1, ... Use a POP e-mail client to access your Hotmail account. ... Use a Deltasync-enable client to see all the folders in your webmail ... POP has no concept of folders. ...
    (microsoft.public.outlook.general)