Bugtraq mailing list archives
Re: "ClientSideTrojan" bug
From: mag () BUNUEL TII MATAV HU (Magosanyi Arpad)
Date: Tue, 16 May 2000 13:50:56 +0200
Hi!
There is a hypothetical solution to the ClientSideTrojan bug:
Create a mechanism which assigns security labels to the webpages,
and enforce an access control policy based on the security labels.
Maybe a policy of "one can acces a web page iff his current label
equals the label of the webpage" would be a safe bet.
It is still a client-side (mostly) solution, but in most cases
the attacked resource is also "owned" by the client.
I don't exactly know how such a mechanism could be safely implemented with the
current technology. But I have ideas.
Iff the client is using a web proxy for all http accesses, the web proxy
could enforce the policy, based on its assignment of labels and some
mechanism to change current security label.
There are more possible mechanisms to change and communicate the security label:
1. In the browser/http header. There is a menu where you can change it,
and the browser could generate a http request header
communicating it. I would like it, but it sounds a
bit idealistic right now. (But seems easy to immplement)
2. Through a cookie. It uses a currently available technique, but
the browser should accept cookies which to be sent to
everyone, which is Bad Thing(TM)
3. Through the proxy. There could be some level-changing mechanism
(e.g. a webpage on the proxy server), and no one would
know about the label but the proxy (or it could communicate
it in the same way as #1, for the web servers who care.)
There is a mailing list to talk about communicating security labels using
existing (and new) protocols. We have created it ages before, but this is
the first announcement of it.
If you are interested in using internet protocolls in a trusted environment,
if you have ideas how to do it, please join the mailing list.
It is at:
ml-proto () lists balabit hu
http://lists.balabit.hu/mailman/listinfo/ml-proto
Thanks to BalaBit (author of syslog-ng) for providing the service.
--
GNU GPL: csak tiszta forrásból
Current thread:
- AOL Instant Messenger, (continued)
- AOL Instant Messenger Daniel P. Stasinski (May 08)
- Re: AOL Instant Messenger Oppenheimer, Max (May 09)
- New Allaire Security Zone Bulletin Posted Aleph One (May 08)
- Advisory: Netopia R9100 router vulnerability Stephen Friedl (May 08)
- Re: Advisory: Netopia R9100 router vulnerability Gary L. Burnore (May 09)
- Re: Advisory: Netopia R9100 router vulnerability Rob Tashjian (May 10)
- Microsoft Security Bulletin (MS00-031) Microsoft Product Security (May 10)
- Re: Advisory: Netopia R9100 router vulnerability Jeffrey Paul (May 13)
- "ClientSideTrojan" bug Kragen Sitaker (May 09)
- Re: "ClientSideTrojan" bug David L. Nicol (May 11)
- Re: "ClientSideTrojan" bug Magosanyi Arpad (May 16)
- BUFFER OVERRUN VULNERABILITIES IN KERBEROS Jeffrey I. Schiller (May 16)
- Re: BUFFER OVERRUN VULNERABILITIES IN KERBEROS Kris Kennaway (May 18)
- antisniff x86/linux remote root exploit, including "fixed" 1.02 version Sebastian (May 16)
- announce : Nessus 1.0 released Renaud Deraison (May 17)
- RFP2K04: Mining BlackICE with RFPickAxe rain forest puppy (May 17)
- FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx [REVISED] FreeBSD Security Officer (May 17)
- klogin remote exploit duke (May 17)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Robert Graham (May 17)
- antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Sebastian (May 18)
- Re: antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Mudge (May 18)
- Re: Advisory: Netopia R9100 router vulnerability Gary L. Burnore (May 09)
- AOL Instant Messenger Daniel P. Stasinski (May 08)