2000-05-30-09:45:12 Mikael Olsson:
> There are a lot of firewalls that claim abilities in stripping
> active content such as javascript.
Are you sure it's "a lot" and not "a few"?
> Well, one thing we should have learned from the recent Web-based
> E-mail filtering failures (Hotmail has received most coverage,
> but the same problems apply to all of them), is that it is near
> impossible for a firewall to filter active content. There's always
> some new way of injecting scripts in an HTML document.
Rather, it's impractical to achieve 100% perfection at stripping
every possible way of embedding active content.
This is was demonstrated very early on (sorry, I don't remember the
name of the person who published this result, I think they were at
Bell Labs).
> So, in light of that, I think that all network filters, be it SPFs
> or proxies, should be considered to have no protection against
> embedded active content.
If nothing short of 100% perfection is of any interest to you, then
you should consider things that way.
The rest of us value and prize the nearly-complete protection that's
available in practice, when we are in a position to specify and
enforce a "no active content from the internet" policy.
-Bennett
PGP signature
