Firewall Wizards mailing list archives
RE: Active-content filtering (was RE: Buffer Overruns)
From: fernando_montenegro () hp com
Date: Thu, 23 Dec 1999 07:00:12 -0500
Hello again! You wrote:
I VEHEMENTLY dispute that any of these scripting technologies are *legitimate* business-need content. On the contrary, they are symptoms of "lazy web
developer
who doesn't understand the technology." I have never, ever encountered a web
site
that used Javascript in a way that was actually necessary to perform the
business
function.
When the "business function" is to deliver content for a wide audience with a short attention span, while at the same time reducing costs and time-to-market, differentiating yourself from a slew of other competitors in a very level playing field (the user's screen) and dealing with incompatible standards/implementations, it would be foolish to ignore technology that is widely deployed at your customer base and helps achieve the goals described above. After receiving your message I went on and visited some "high profile" sites. I found them using Javascript for: - Verifying which browser the user is connecting with, and acting accordingly. - Performing input validation. - Playing tricks with frames (so as to avoid content stealing through framing). - Displaying/managing "pop-up" windows with ads, questionnaires, instant polls or on-line help. IMHO, now that the Web is a commercial venture, where glitz/interactivity/ease-of-use is at least as important as content, these are all valid uses. Even some sites that didn't have scripting on their main page went on use it somewhere further down the road. As a matter of fact, even security-related sites had scripting enabled, using it for pretty much the same as the other sites. Is it unfortunate that there are vulnerabilities being discovered left and right regarding client-side code? Yes! Is it unfortunate that web sites are designed with less than adequate security architectures? Hell yes! Can we expect the risk to be eliminated by removing client-side code? No! What needs to be done? Risk reduction. It looks like this is only a re-enacting of the "should we connect to the Big Bad Internet or not?" dillema. Just like some networks will never be connected (directly, that is), I am sure there'll be network admins who will just block out Java[script]|ActiveX and substantiate that as a valid business decision. That's great! On the other hand, there'll be scores of admins who need to leave this stuff open because their user population requires it. In these cases, having proper policy and network design, along with useful tools, can help reduce the risk. Which brings me back to my questions: are there adequate tools to deal with client-side code on a corporate level? Has anyone come across a proxy server with this kind of granularity (allowing/denying scripting per destination web site per user profile (time of day, username, ...)) Hope this helps. Cheers, Fernando -- Fernando da Silveira Montenegro Hewlett-Packard Brasil HP Consulting - IT Security Al. Rio Negro, 750 - Alphaville mailto:fernando_montenegro () hp com Barueri, SP - Brazil 06454-000 voice: +55-11-7297-4351 #include <disclaimer.h>
Current thread:
- Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 21)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 22)
- Re: Active-content filtering (was RE: Buffer Overruns) David Lang (Dec 23)
- Re: Active-content filtering (was RE: Buffer Overruns) Hazel A. Borg (Dec 24)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Joseph S D Yao (Dec 28)
- Re: Active-content filtering (was RE: Buffer Overruns) Neil Ratzlaff (Dec 22)
- <Possible follow-ups>
- RE: Active-content filtering (was RE: Buffer Overruns) fernando_montenegro (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Jody C. Patilla (Dec 28)
- Re: Active-content filtering (was RE: Buffer Overruns) Dorian Moore (Dec 30)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 30)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 26)
- Re: Active-content filtering (was RE: Buffer Overruns) Crispin Cowan (Dec 22)