Re: More Internet Explorer zone confusion

[paulle () MICROSOFT COM (Paul Leach)]

> -----Original Message-----
> From: Oliver Lineham [mailto:oliver () LINEHAM CO NZ]
> Sent: Monday, March 08, 1999 2:37 AM
> To: BUGTRAQ () NETSPACE ORG
> Subject: Re: More Internet Explorer zone confusion
>
>
> At 21:53 5/03/99 -0500, you wrote:
>
> Yech.
>
> > That means that IE has to rely on the URL.  By convention,
> an URL that does
> > not end with a "dot-something" (.com, .edu, .gov, etc) is
> assumed to be an
> > internal site.  I'm told that this is how all web browsers make the
> > distinction.  You have to make specific reconfigurations to allow the
> > dotless URLs to resolve externally. Thanks,
>
> This is insane - and most probably not how it distinguishes
> domains at all.

That's correct.
I believe that the rule for Intranet zone is simple -- if the name has no
"." and is less than 15 characters long, then it's Intranet zone. This
algorithm works with the default configuration of Windows. If you configure
your machine so that the above assumption is violated, then you'll get a
mis-classification.

When designing better ways of doing this, keep in mind that the primary tool
that the browser has to work with is "gethostbyname" -- which, IMO, doesn't
return enough information about how the name was resolved to be helpful for
security purposes (even though it garnered some in the process of
resolution). For example, it doesn't say whether /etc/hosts or LMHOSTS was
used to resolve the name, or which DNS search suffix was used.

Paul