Bennett Todd wrote:
>
> The rest of us value and prize the nearly-complete protection that's
> available in practice, when we are in a position to specify and
> enforce a "no active content from the internet" policy.
Just because I'm a PITA that likes proof before accepting things
at face value, I'd like to ask you this:
Do you know just how much is filtered by your firewall?
Surely, you "nearly perfectly" protect your users from
normally included javascript (using <script> tags) on your
average run-of-the-mill site that uses it for glitz (where
it isn't dangerous in the first place).
But do you know just how many of the variants listed in
the "hotmail" attacks are filtered by _your_ firewall of
choice?
(I'm ready to bet that if someone wanted to do a real
javscript attack, they wouldn't just use <script> tags).
And do you know how your firewall handles different
charsets, such as UTF-8?
I'm not asking this to attack your standpoint. I'm just
genuinely interested in exactly what is filtered these days.
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
