Re: ASPNET User Problem in Shared Hosting Environment
From: al (news@thispartisfake-13c.com)
Date: 08/02/02
- Next message: AWolf: "Re: HttpModules and HttpContext.Current.User"
- Previous message: LC: "Re: Windows Authentication without popup box"
- In reply to: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "al" <news@thispartisfake-13c.com> Date: Fri, 2 Aug 2002 13:24:40 -0700
I am going to go berserk if they put .NET Server out with the FrontPage 2002
Extensions and ASP.NET security flaws. I am almost positive they wont fix
these bugs by .NET Server. Since both require architectural changes I would
think that having them beta tested would be good, but the flaws existed in
the beta's. This will be a major test whether or not Security IS a priority
over Features; it is the whole premise of the change of direction Microsoft
has promised.
I got into the shared hosting with Microsoft Technology business because my
Unix based ISP wouldn't use the FrontPage Extensions due to the insecurity.
I used to think they were just bitter and whining. However now I understand
the bitterness when other companies move forward with the latest and
greatest, but we don't and can't because we aren't into placating customers
with half truths.
One of the sad things is sometimes I get the impression that some of the
engineers at MS are really saying between the lines is, yes we know there
are problems, and you don't know half of them. I understand that situation
but somehow I will never be satisfied with the fact that widely known
security holes are ignored for so long in today's environment. A horrible
truth is that VS.NET uses the FrontPage Extensions for ASP.NET development
so the folly goes hand in hand.
Both of these flaws can be solved by MS in a simple way: Define the
anonymous user for each site and let ASP.NET and FPSE use the settings from
the metabase or web.config instead of using vague all inclusive
groups/users. Part of their own best practices for shared hosting include
different anonymous users for each virtual server yet they failed to
implement this architecture in ASP.NET. Explicit permissions are a good
thing. We can never really have security until this criteria is met.
Otherwise the door is wide open for innumerable yet to be imagined hacks.
All the current security features and granularity are worthless in ASP.NET
if the security architecture is flawed in such a fundamental way.
Mr Snorkel, don't tell me you are afraid they will cancel your MSDN? :?
-- al.NETisNOTsecureforsharedhosting It's not my website it's me dammit! "Mr Snorkel" <snorkelmeister@yahoo.com> wrote in message news:bf7d325e.0208012005.5dfdc426@posting.google.com... > It *is* incredibly frustrating. We too have persued the issue of > FrontPage's unstoppable ACL meddling, and responses have been as > insouciant as with the ASP.NET process problem. > > I doubt that the Trusted Computing is 'pure' BS, in that I know there > have been enormous efforts put in by MS developers to fix current > security problems and forestall future ones. But there's clearly a > deep misunderstading on their part -- they think that they can build > trust purely by setting technical objectives, working hard to try and > meet them, and then handing the results over to the marketing people. > I've no doubt they'll fix the ASP.NET issue, probably in .NET Server. > But of course technical hubris is not enough. To be trusted, you have > not only to be technically good, but also trustworthy in character. MS > individuals cannot be the latter, because they'd lose their jobs if > they were, and the corporation clearly has not yet made the strong > ethical decision to be a corporate entity worth of our trust. > > On this point the facts speak for themselves with the utmost clarity: > > * ASP.NET is not, in its current form, suitable for shared hosting. > * Microsoft know and understand this > * Microsoft are keeping publicly quiet about the fact (see how > quickly Ben Miller disappeared from this thread!) > * Microsoft are still actively *promoting* the use of ASP.NET on > shared hosting platforms (see the 'Web Hosting' link in VS.NET). > > This is a betrayal of the public's trust, but also of Hosters. I know > for a fact that several of the latter don't know about the ASP.NET > issue (if they did, it wouldn't be possible to get an ASP.NET hosting > account with them and get the scary access to their systems that is > possible now -- this includes some very large, very well-known > hosters). MS certainly is not telling them. Why not? > > btw Al, I can't quite accept your kudos. Notice that I'm posting > anonymously ;) > > > > > "al" <news@thispartisfake-13c.com> wrote in message news:<eGcHTGZOCHA.2224@tkmsftngp09>... > > I meant mad props to MR Snorkel! > > > > -- > > al.NET > > It's not my website it's me dammit! > > "al" <news@thispartisfake-13c.com> wrote in message > > news:OxLa12YOCHA.1736@tkmsftngp13... > > > Well, Well, Well, > > > This is so damn frustrating. I have been screaming at Microsoft and > > > Newsgroups about a similar issue with the FrontPage 2002 Extensions use of > > > the Network and Interactive groups. For over a year. Apparently the > > > trustworthy computing thing is Pure BS because they are completely aware > > of > > > these problems. They are completely aware that it is IIS exploits (second > > > only to mail client vulnerabilities) has got them this bad reputation. > > But > > > they continue down the same path of features over security. > > > > > > First a bunch of toadies on the newsgroups will say: > > > "no that can't be the case...", then you call MS and they try to convince > > > you it is not the case with a low level flunkey. Then finally if you feel > > > like wasting your time because for some fool reason you have staked your > > > career on providing shared hosting with Microsoft technology, you may get > > to > > > someone at MS who says, "we admit it is a problem and it will be addressed > > > in a future release.". > > > > > > Meanwhile your paranoia grows... > > > > > > But it is clear that secure shared hosting is not a priority, in fact it > > has > > > got to be last on the list. Except in the Marketing department. > > > > > > And full mad props to you Arild for keeping your socks up! The rest of you > > > toadies better make some noise or MS will keep ignoring this issue. > > Remember > > > they do respond to customer pressure and public humiliation. > > >
- Next message: AWolf: "Re: HttpModules and HttpContext.Current.User"
- Previous message: LC: "Re: Windows Authentication without popup box"
- In reply to: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
