[gopher] Re: Gopher+ Suggestion
> > While true, this should hardly be the responsibility of the client to
> > enforce -- this only masks badly written server software and makes it
> > less likely to find exploits.
>
> Difficult to prevent attempts to send people to arbitrary gopher URLs,
> though. (Consider an HTML document containing
>
> <img src="gopher://vunerable.host:25/0HELO+evil-overflow-attempt-XXXX-etc";
> width="1" height="1" alt="">
>
> If such a page is read in a graphical browser, and that browser doesn't do
> anything to stop such URLs, it will send arbitrary text (up to a few
> kilobytes) to an arbitrary port on an arbitrary host without the user's
> knowledge.
What I'm saying, though, is the server should still be ultimately responsible
for security. By hiding the ability to send an exploit from a client doesn't
solve the server's inherent flaw, and in fact makes finding the flaw more
difficult in that it will require a more involved or technical approach that
is less likely to be discovered early and countered. It's sort of a "security
through obscurity" approach.
> It's difficult to see how to stop such attacks on the server side.
Sure. But I think this masks security flaws rather than improving security.
IMHO, of course. ;-)
--
----------------------------- personal page: http://www.armory.com/~spectre/ --
Cameron Kaiser, Point Loma Nazarene University * ckaiser@stockholm.ptloma.edu
-- For every credibility gap, there is a gullibility fill. -- R. Clopton ------
Reply to: