Subject: Re: SOCKS
To: Ross Harvey <ross@teraflop.com>
From: Kevin P. Neal <kpneal@pobox.com>
List: tech-security
Date: 03/10/1997 20:49:05
At 03:23 PM 3/10/97 PST, Ross Harvey wrote:
>Netscape has socks support built in to it, although you do have to turn
>it on in the proxies submenu.  My idea was to incorporate the socks
>proxy logic into the socket library so that all programs would
>automatically be socks-capable. It wasn't quite a proposal, just an
>idea. Somehow I doubt if people will want to put user-logic around what
>used to be a direct system call.

Yes, and it's *way* too easy to fool Netscape into hitting the
firewall/socks-server when it shouldn't be.

You configure Netscape (and IE) to not hit the firewall if the host is 
beneath *.domainname (or domainname if you use IE -- annoying!). The
problem is that Netscape doesn't expand hostnames into the FQDN before
matching them against the exception list. MS-IE has the same problem.

This means that if, where I work, you go to http://www/ then you bounce
off of the firewall when you meant to hit the web server directly. The
solutions to this involve educating 4000+ users worldwide, and making sure
that they understand to Not Do That. Or we can call each one of them and
tell them to Not Do That. 

One nit with your idea is that sometimes (in theory), you don't want all
of your programs to be socks enabled. What if you are running a search
engine for a company intranet? You probably don't want the crawler/scooter 
robot to be socksified automatically.

"If it's not broke..."
--
XCOMM Kevin P. Neal, Junior, Comp. Sci.     -   House of Retrocomputing
XCOMM  mailto:kpneal@pobox.com              -   http://www.pobox.com/~kpn/
XCOMM  kpneal@eos.ncsu.edu         " *** StarDOS makes great coffee! ***"
XCOMM From a mid-80's advertisement in "Compute's GAZETTE", a C64/C128 mag