[9858] in bugtraq
Re: More Internet Explorer zone confusion
daemon@ATHENA.MIT.EDU (Christopher Masto)
Tue Mar 9 16:32:49 1999
Mail-Followup-To: BUGTRAQ@netspace.org
Date: Tue, 9 Mar 1999 01:59:08 -0500
Reply-To: Christopher Masto <chris@NETMONGER.NET>
From: Christopher Masto <chris@NETMONGER.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <CB6657D3A5E0D111A97700805FFE65870B48DEEA@RED-MSG-51>; from Paul
Leach on Mon, Mar 08, 1999 at 11:58:55AM -0800
Is this intranet zone thing _really_ of any value? Why is there a
built-in default assumption that something from a "local" server is
more trustworthy? Consider the following situations:
1. A customer of your ISP, netmonger.net, is evil. They have a page
that links or redirects to http://www/~evil/evil.html, taking
advantage of the fact that your machine is configured with your
ISP's domain in the search list.
2. You go to school at RPI. You have a dorm ethernet connection.
Your machine is naive.dorm.rpi.edu, and you have dorm.rpi.edu
in your domain search list. An evil person gets evil.dorm.rpi.edu,
and you know the rest.
3. You work at Giganticorp and have access to high-level trade secrets.
Giganticorp has an intranet where employees can put up their own
web pages. An evil employee takes advantage of the default security
settings to gain access to your secrets, which he sells to the
competition.
Numbers 1 and 2 ask the question, "Why are we assuming that a
non-qualified host name implies intranet implies trust?" Number 3
asks the question, "Why are we assuming that intranet implies trust?"
Another question is "How many people who use IE have no intranet?"
Considering that there are a quantity of tools available to deploy
IE at your company with preconfigured settings, why not default to
not having this intranet zone. If Giganticorp needs to turn down
the security, they can do so at the same time they're customizing
the rest of the settings.
I don't personally use Microsoft products, and I am not quite familiar
with the specific security precautions that are disabled for the
intranet zone, but if they're enough to cause concern on the Internet,
the same problems can occur even when the browser isn't malfunctioning
at all.
--
Christopher Masto Director of Operations NetMonger Communications
chris@netmonger.net info@netmonger.net http://www.netmonger.net
Free yourself, free your machine, free the daemon -- http://www.freebsd.org/
