Re: JavaScript and Cookies enabled in Browser

2004-08-21 Thread Bernd Eckenfels
In article <[EMAIL PROTECTED]> you wrote:
> This strikes me as a dubious claim. If, as they claim, they use the
> browser SSL layer then they could be *as* secure as an IPSec or SSL VPN
> system at best, and could be completely insecure.

Webex is using a java  applet or activex control for displaying the remote
desktop.

AFAIK there is a solution on freshmeat to multiplex x clients to multiple x
servers by an virtual server: xmx

I think with WebEx you can only publish an Windows Desktop. In that case you
can run UltraVNC on it, this is able to attach multiple clients.

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



Re: JavaScript and Cookies enabled in Browser

2004-08-20 Thread Daniel Pittman
On 20 Aug 2004, Don Froien, III wrote:
> I was recently in a meeting where members of the IT group propose to
> use a utility called WebEx to perform remote compiles. Webex offers
> SSL encrypted transfers and the ability to offer only selected members
> to the meeting (remote compile in this case) and offers the transfers
> over https (port 443).

Sounds like a cute idea, but I don't quite see how it manages remote
compiles.

> The issue I see with this approach is that WebEx uses a browser interface that
> requires the browser to have Java Script and Cookies enabled. I have always
> been under the impression that those two items were considerable security
> issues. 

I think you are significantly overestimating the security risks there.
With an up-to-date browser, even IE, they don't pose too much of a risk.

Certainly, cookies are almost no risk. The worst case is that they allow
remote information gathering, or allow someone to "steal" the cookie and
impersonate you.

In either case there are normally easier ways to take over a machine. :)

> Does anyone know of any URL's or downloadable papers that will
> strengthen my argument against this approach? I believe a VPN solution
> to be more appropriate, but am being told that the WebEx approach is
> more secure. 

This strikes me as a dubious claim. If, as they claim, they use the
browser SSL layer then they could be *as* secure as an IPSec or SSL VPN
system at best, and could be completely insecure.

> If anyone knows a reason that this approach is secure, please advise
> also. 

If this really matters to you, do a real risk analysis of the situation:

Draw up a list of the things you need to protect or prevent.
Draw up a list of ways that people could attack those things.
Draw up a list of ways to ensure those attacks do not succeed.

Then, compare the final list to the various solutions on offer - VPN,
WebEx, etc, and see which one achieves the best practical security.


For what it is worth, though, I wouldn't trust the WebEx system to be
more secure than a VPN in combination with a Firewall, simply because it
trusts weak components (end user systems) for security, and because I
can see no external review of the quality of their implementation.

If you really want them to look bad, grab papers where people have done
a security review of various VPN systems and ask for the same for the
WebEx system...

 Daniel
-- 
Laughter is our safety valve.  It helps us get through Sarajevo and the stupid
things politicians do.
-- Jerry Lewis


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



JavaScript and Cookies enabled in Browser

2004-08-20 Thread Don Froien, III
I was recently in a meeting where members of the IT group propose to use a utility 
called WebEx to perform remote compiles.  Webex offers SSL encrypted transfers and the 
ability to offer only selected members to the meeting (remote compile in this case) 
and offers the transfers over https (port 443).   The issue I see with this approach 
is that WebEx uses a browser interface that requires the browser to have Java Script 
and Cookies enabled.  I have always been under the impression that those two items 
were considerable security issues.  Does anyone know of any URL's or downloadable 
papers that will strengthen my argument against this approach?   I believe a VPN 
solution to be more appropriate, but am being told that the WebEx approach is more 
secure.  If anyone knows a reason that this approach is secure, please advise also.  
Thanks


__
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]