[14922] in bugtraq
Re: "ClientSideTrojan" bug
daemon@ATHENA.MIT.EDU (Magosanyi Arpad)
Tue May 16 17:11:47 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Message-Id: <20000516135056.A2099@bunuel.tii.matav.hu>
Date: Tue, 16 May 2000 13:50:56 +0200
Reply-To: Magosanyi Arpad <mag@BUNUEL.TII.MATAV.HU>
From: Magosanyi Arpad <mag@BUNUEL.TII.MATAV.HU>
X-To: Kragen Sitaker <kragen@POBOX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.21.0005092132330.12345-100000@kirk.dnaco.net>; from
kragen@POBOX.COM on Tue, May 09, 2000 at 10:15:23PM -0400
Content-Transfer-Encoding: 8bit
Hi!
There is a hypothetical solution to the ClientSideTrojan bug:
Create a mechanism which assigns security labels to the webpages,
and enforce an access control policy based on the security labels.
Maybe a policy of "one can acces a web page iff his current label
equals the label of the webpage" would be a safe bet.
It is still a client-side (mostly) solution, but in most cases
the attacked resource is also "owned" by the client.
I don't exactly know how such a mechanism could be safely implemented with the
current technology. But I have ideas.
Iff the client is using a web proxy for all http accesses, the web proxy
could enforce the policy, based on its assignment of labels and some
mechanism to change current security label.
There are more possible mechanisms to change and communicate the security label:
1. In the browser/http header. There is a menu where you can change it,
and the browser could generate a http request header
communicating it. I would like it, but it sounds a
bit idealistic right now. (But seems easy to immplement)
2. Through a cookie. It uses a currently available technique, but
the browser should accept cookies which to be sent to
everyone, which is Bad Thing(TM)
3. Through the proxy. There could be some level-changing mechanism
(e.g. a webpage on the proxy server), and no one would
know about the label but the proxy (or it could communicate
it in the same way as #1, for the web servers who care.)
There is a mailing list to talk about communicating security labels using
existing (and new) protocols. We have created it ages before, but this is
the first announcement of it.
If you are interested in using internet protocolls in a trusted environment,
if you have ideas how to do it, please join the mailing list.
It is at:
ml-proto@lists.balabit.hu
http://lists.balabit.hu/mailman/listinfo/ml-proto
Thanks to BalaBit (author of syslog-ng) for providing the service.
--
GNU GPL: csak tiszta forrásból
