restricting access to web pages

[Toby Inkster]

XHTML 1.1 comes in one flavour, no Strict or Transitional subtypes.

True. My post started off as XHTML 1.0 Strict, but I changed it to 1.1 and
forgot to drop the "Strict".

That said, XHTML 1.1 is clearly the evolution of the HTML4/XHTML1.0 Strict
doctype.

 

[Spartanicus]

True. My post started off as XHTML 1.0 Strict, but I changed it to 1.1 and
forgot to drop the "Strict".

The level of XHTML wasn't relevant to the point, serving any flavour of
XHTML using the XHTML content type http header suffices.

 

[Jim Higson]

Are you under the impression that somehow you can catch a virus from a
user visiting your website??

My, oh my, you're mistaken. Unless you offer some sort of uplink for that
virus to go through, no, your site is safe from IE users.

Yes, it doesn't matter how insecure the browser is, for the server to catch
a virus there must be a security hole *in the server*.

If there is a security hole in the server, it'll probably be a buffer
overflow exploit, which requires a very specialised knowledge to construct
- there is in all practical terms zero change that a browser could perform
the exploit by accident.

Besides, if your server is UNIX, it doesn't matter how many MS viri you
upload, they can't run.

If you want ultimate security consider running a Java http server, such as
erm... y'know, the one W3C uses for the validation service. Since Java runs
on a VM sandbox it is virtually impossible for an attacker to gain access
to the machine, unless there is a serious security hole in the server AND
the vm - very, very unlikely.

 

[Starshine Moonbeam]

Yes, it doesn't matter how insecure the browser is, for the server to catch
a virus there must be a security hole *in the server*.

If there is a security hole in the server, it'll probably be a buffer
overflow exploit, which requires a very specialised knowledge to construct
- there is in all practical terms zero change that a browser could perform
the exploit by accident.

Besides, if your server is UNIX, it doesn't matter how many MS viri you
upload, they can't run.

If you want ultimate security consider running a Java http server, such as
erm... y'know, the one W3C uses for the validation service. Since Java runs
on a VM sandbox it is virtually impossible for an attacker to gain access
to the machine, unless there is a serious security hole in the server AND
the vm - very, very unlikely.

You'd have to compile the virus code (are there even Java virii?) before
it would run anyway.

 

[Toby Inkster]

You'd have to compile the virus code (are there even Java virii?) before
it would run anyway.

Huh? Why? Java is commonly distributed in bytecode -- not source form.

 

[rf]

Starshine Moonbeam wrote

(are there even Java virii?)

The above two statements are incompatible.

Since java can not get out of its sandbox there would be no reason to even
attempt to write a java virus.

In any case most viruses exploit the idiocy of the reciever and others
rather than security holes. Witness the virus with love in its name from a
couple of years ago. The reasons it propogated are:

Microsoft idiotically decided to enable HTML emails and active scripting in
outlook express *by default*.

Microsoft idiotically decided to hide extentions for known file types *by
default*.

People who recieved the offending email idiotically clicked on the
attachment "virus.jpg.scr", thinking it was really "virus.jpg". Millions
upon millions did this[1]. There was no security hole, just a mis-configured
email client.

[1] when the virus first struck I recieved hundreds of copies of it.
Needless to say none of them were allowed to run.

 

[mutant]

Hi,

That said, the web is all about not excluding anyone (even if some think
it is), so please, don't bar a browser. Some just aren't aware there are
alternatives, or if there are, how to install and use them. Stopping
them from using your website won't do anything except ensure they don't
return.

TTFN

Paul

Bush website adopts isolationist stance

Surfers from outside the US trying to reach the site receive an "access
denied" message.

http://www.theregister.co.uk/2004/10/27/bush_blocking_non-americans/

 

[Jim Higson]

Starshine Moonbeam wrote



The above two statements are incompatible.

Since java can not get out of its sandbox there would be no reason to even
attempt to write a java virus.

Well, in theory it might be possible - as more of the operating system is
duplicated in the JRE it matters less if it can't touch the underlying OS.
Or maybe if the point of a Java 'virus' is to infect and mess up a Java
http server or something else just as unlikely.

Another point worth mentioning is there are NO buffer overflow attacks in
Java - because the JVM manages memory for you such things are impossible.
Consider that most cracks are this kind of expoit and you can see why a
Java server should be very secure.

In short, except for possibly MS servers (and then it's unlikely) it matters
not one bit how infested with virii people connecting to your service are.

Jim

 

[Lemming]

Since java can not get out of its sandbox there would be no reason to even
attempt to write a java virus.

Some java programs write and/or read files. Not virtual
"sandbox-only" files, but real file-system files.

If that isn't "out of the sandbox" I don't know what is.

Lemming

 

[Starshine Moonbeam]

Huh? Why? Java is commonly distributed in bytecode -- not source form.

Then that settles that.

 

[Jim Higson]

Some java programs write and/or read files. Not virtual
"sandbox-only" files, but real file-system files.

Yes, but it is trivial to set up security in the VM so they can't.

Or, to make it even more secure, have a user called Java and also limit
access on a OS-level.

 

[rf]

Some java programs write and/or read files. Not virtual
"sandbox-only" files, but real file-system files.

If that isn't "out of the sandbox" I don't know what is.

Do you *really* think that I am going to let some random java program so far
out of the sandbox that it can access my local file system? I might as well
just turn off my firewall

 

[Leif K-Brooks]

Bush website adopts isolationist stance

Surfers from outside the US trying to reach the site receive an "access
denied" message.

That's a reason to vote for someone with half a clue, but not a reason
to create a broken web site of your own.

 

[Neal]

Bush website adopts isolationist stance

Surfers from outside the US trying to reach the site receive an "access
denied" message.

http://www.theregister.co.uk/2004/10/27/bush_blocking_non-americans/

Yep, and just try to get into a campaign rally with a Kerry T-shirt.

 

[mutant]

That's a reason to vote for someone with half a clue, but not a reason
to create a broken web site of your own.

Actually it has been called a dress code. Follow the dress code get in
the restaurant . Follow the dress code get the job. My page is for a
certain type of person. Just because I have done my part to make a place
safe doesn't mean that people who don't care are allowed to share the
fruit. And there is nothing wrong with denying a browser that spreads
viruses.

But there are plenty of available links to show why not to use IE.


- Peace -
Mutant