[13927] in bugtraq
Re: 'cross site scripting' CERT advisory and MS
daemon@ATHENA.MIT.EDU (Alexander Schreiber)
Fri Feb 18 20:05:47 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.21.0002181343480.939-100000@sparta.informatik.tu-chemnitz.de>
Date: Fri, 18 Feb 2000 13:46:41 +0100
Reply-To: Alexander Schreiber <Alexander.Schreiber@INFORMATIK.TU-CHEMNITZ.DE>
From: Alexander Schreiber <Alexander.Schreiber@INFORMATIK.TU-CHEMNITZ.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38ABE161.BCBBB7D1@jmu.edu>
On Thu, 17 Feb 2000 flynngn@JMU.EDU wrote:
> David LeBlanc wrote:
> >
> > What I recommend specifically for using Outlook (probably also applies to
> > other mail readers using IE as a HTML viewer) is:
> > 1) Set it to run in the Restricted Sites zone
> > 2) Edit the Restricted Sites zone into what I call maximum paranoia mode -
> > turn EVERYTHING off. IIRC, cookies are off to begin with, but this gets
> > them turned off for sure.
>
> Wouldn't it be better to set the Internet zone for high security and
> then set the browser to use the Internet zone? The restricted zone requires
> entering the list of untrusted systems while the Internet zone says
Sorry - but having to specify the list of _untrusted_ systems for a
restricted zone sounds broken to me - this means that by default you trust
everybody, unless specified otherwise. I think the other way around (i.e.
giving a list of _trusted_ systems) is the correct way to go. Or am I
horribly mistaken here ?
Regards,
Alex.
--
------------------------------------------------------------------------------
EMail : als@thangorodrim.de | WWW : http://www.thangorodrim.de/
If privacy is outlawed, only outlaws will have | Ceterum censeo Parva Mollia
privacy. (Philip Zimmerman, author of PGP) | esse delendam.
