Of course the users' dream is that they live in an Internet garden with
beautiful animation and wonderful little dialog boxes that do amazing things
for them with a single mouse click, in perfect safety. They can dream (and
complain) can't they?! ;-)
����������������������������������� Mark
> -----Original Message-----
> From: firewalls-owner [mailto:[EMAIL PROTECTED]]On Behalf
> Of Bennett Todd
> Sent: Tuesday, December 29, 1998 4:44 PM
> To: Firewalls
> Subject: Re: deactivate Java, JavaScript and ActiveX?
>
>
> It's impossible to do a _perfect_ job of stripping applets at a firewall,
> simply and solely because browser vendors periodically mutate
> their product
> introducing new ways to sneak applets past a snooper. An applet
> can be packet
> into a jar file, into a zip file, referenced through some other protocol
> (including a protocol you can't examine like ssl), etc.
>
> However, a firewall can strip out _many_, even _most_ applets. If you can
> strip enough of them, a firewall can be a tremendous help by
> shifting users'
> expectations, so they won't _expect_ them to work.
>
> But you still need more layers of defense.
>
> You should have the browsers you support set up with applets disabled.
>
> You should periodically scan the system looking for users who
> have overridden
> that default.
>
> If possible, you should lock _all_ browsers in sandboxes to limit the
> collateral damage the schrapnel can do when someone succeeds in
> sneaking an
> applet past the barriers.
>
> Better would of course be a corporate policy prohibiting use of
> such trashy,
> unprofessionally poor code; outlaw Netscape and MSIE and anything
> else as bad,
> periodically search for copies, delete 'em and lecture offenders,
> fire repeat
> offenders. Ok, I can dream, can't I:-).
>
> -Bennett
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
