lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <p06001714bb479d01c422@[192.168.1.104]>
Date: Fri, 25 Jul 2003 22:59:37 -0400
From: Kee Hinckley <nazgul@...ewhere.com>
To: Denis Jedig <seclists@...eticon.de>
Subject: Re: TEXT/PLAIN: ALERT("OUTLOOK EXPRESS")


At 8:35 PM +0200 7/25/03, Denis Jedig wrote:
>Internet Explorer seems to take no offense on Content-Types either - 
>text/plain from a web server is happily rendered as HTML, if it 
>contains valid tags.

It has long been a standard assertion that programs should produce 
standard-complaint protocols, but be lenient in accepting data 
contrary to the standard.  Microsoft has taken this one step further. 
In addition to attempting (not unreasonably) to try and guess what 
the user is trying to do, they've written code that tries to guess 
what a remote client or server is trying to do.  I think a history of 
Microsoft security holes clearly shows that this is *not* an 
appropriate programming practice.  The acceptance of incorrect data 
makes security scanning by intermediate parties extremely difficult. 
Attempting to "correct" for incorrect remote behavior benefits 
nobody.  It encourages programs and people to generate incorrect 
code, and it opens up security holes when by the standard there ought 
to be none.  We've seen this time after time in things like HTML code 
embedded in JPEG comments, decimal IP addresses using intentional 
overflows, and a plethora of other cases.  Policies that make sense 
in dealing with end user actions can be deadly when used with remote 
standards and protocols.

(Of course this policy also has the side effect of making it 
extremely difficult for smaller players to compete with the dominant 
one, since they have to be bug-for-bug compatible.)
-- 
Kee Hinckley
http://www.messagefire.com/          Anti-Spam Service for your POP Account
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ