|
Bugtraq
mailing list archives
Re: More Internet Explorer zone confusion
From: paulle () MICROSOFT COM (Paul Leach)
Date: Mon, 8 Mar 1999 11:58:55 -0800
-----Original Message-----
From: Oliver Lineham [mailto:oliver () LINEHAM CO NZ]
Sent: Monday, March 08, 1999 2:37 AM
To: BUGTRAQ () NETSPACE ORG
Subject: Re: More Internet Explorer zone confusion
At 21:53 5/03/99 -0500, you wrote:
Yech.
That means that IE has to rely on the URL. By convention,
an URL that does
not end with a "dot-something" (.com, .edu, .gov, etc) is
assumed to be an
internal site. I'm told that this is how all web browsers make the
distinction. You have to make specific reconfigurations to allow the
dotless URLs to resolve externally. Thanks,
This is insane - and most probably not how it distinguishes
domains at all.
That's correct.
I believe that the rule for Intranet zone is simple -- if the name has no
"." and is less than 15 characters long, then it's Intranet zone. This
algorithm works with the default configuration of Windows. If you configure
your machine so that the above assumption is violated, then you'll get a
mis-classification.
When designing better ways of doing this, keep in mind that the primary tool
that the browser has to work with is "gethostbyname" -- which, IMO, doesn't
return enough information about how the name was resolved to be helpful for
security purposes (even though it garnered some in the process of
resolution). For example, it doesn't say whether /etc/hosts or LMHOSTS was
used to resolve the name, or which DNS search suffix was used.
Paul
 By Date 
By Thread
Current thread:
- Re: The FPSC-IRCD.txt advisory, (continued)
- Re: More Internet Explorer zone confusion Paul Leach (Mar 08)
|
Intro
