iframe dilemma: a compromise?

David Lee t.d.lee at DURHAM.AC.UK
Wed Nov 6 09:52:17 GMT 2002 

On Mon, 4 Nov 2002, Julian Field wrote:

> At 18:06 04/11/2002, you wrote:
> >[...]
> >It seems the choice is currently a stark one: either permit iframe (and
> >risk its possible dangers) or forbid iframe (and risk the dangers of
> >unhappy users with big sticks).
> >
> >Might there be the possibility of a compromise?  An option something like
> >"convert iframe to text"?  (Or was this discussed and deemed unworkable?)
>
> In version 4, you can allow IFrame tags from any given "trusted" address,
> which solves the problem.

Thanks.

But that doesn't really solve the problem, doses it?  It merely replaces
it with another: a never-ending problem of maintaining a list of such
trusted addresses submitted by our 15K-20K users.

Even if that were feasible (doubtful!), how would we (the service provider
in the university) judge what really is to be "trusted"?

Further, one of the purposes of MailScanner is to help to protect the
site, not just the individual PC.  If a trusted address turns out itself
to be troublesome, then doesn't that open the floodgates?  (Analogy:
suppose one had the facility "trust Bugbear from this address"?)

(Perhaps I've misunderstood something?)

What I am suggesting is something complementary, to augment your "trusted
iframe address" facility, which could still be in place.  Namely, an
option (for non-trusted addresses) to convert the iframe to text.  Thus
the basic message will still get through, and still be vaguely human
readable.

> I am loathed to spend the time required to implement all the "domains file"
> code in version 3, it would be quite a bit of work.

That's fine.  I wasn't even hinting at any such back-port!

> If you keep your Outlook and OE users well up to date with patches, then
> you probably won't have much problem as most of the current viruses that
> exploit this rely on you not having installed patches that were issued a
> year ago.

But one of the very reasons for MailScanner in the first place is that the
users often don't keep themselves up-to-date with patches, and thus they
(and other non-up-to-date users) remain vulnerable.  (Suppose one user
gets caught with such an iframe problem:  what might then be the effect on
other users whose own virus-scanning is, say, a few weeks behind?)

Thanks again for a great product!

--

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :

More information about the MailScanner mailing list