Slashdot Mirror

← Back to Domains

Domain: securityspace.com

Stories and comments across the archive that link to securityspace.com.

Stories · 8

  1. Microsoft: The Biggest Web Bugger

    Yro · Privacy · · posted by timothy · from the brits-can-snicker-now dept. · 188 comments
    An unnamed reader writes: "A recently released web bug report shows that Microsoft (via Link Exchange) is bugging more web sites than any other organization. Less surprisingly, however, the same report shows that by making some rough traffic estimates, DoubleClick is probably bugging more web traffic than anyone else. (Except of course those big ISPs running proxy servers...wonder how long it will be before the ad agencies get into bed with the ISPs?)"

  2. Microsoft: The Biggest Web Bugger

    Yro · Privacy · · posted by timothy · from the brits-can-snicker-now dept. · 188 comments
    An unnamed reader writes: "A recently released web bug report shows that Microsoft (via Link Exchange) is bugging more web sites than any other organization. Less surprisingly, however, the same report shows that by making some rough traffic estimates, DoubleClick is probably bugging more web traffic than anyone else. (Except of course those big ISPs running proxy servers...wonder how long it will be before the ad agencies get into bed with the ISPs?)"

  3. More Detailed Apache Usage Report

    Tech · Apache · · posted by Hemos · from the interesting-reading dept. · 0 comments
    Digimax writes "A sometimes more interesting read than the netcraft survey is the one carried out monthly by Security Space. It has a breakdown of apache module usage as well as some other interesting stats that the Netcraft survey does not produce."

  4. More Detailed Apache Usage Report

    Tech · Apache · · posted by Hemos · from the interesting-reading dept. · 0 comments
    Digimax writes "A sometimes more interesting read than the netcraft survey is the one carried out monthly by Security Space. It has a breakdown of apache module usage as well as some other interesting stats that the Netcraft survey does not produce."

  5. More Detailed Apache Usage Report

    Tech · Apache · · posted by Hemos · from the interesting-reading dept. · 0 comments
    Digimax writes "A sometimes more interesting read than the netcraft survey is the one carried out monthly by Security Space. It has a breakdown of apache module usage as well as some other interesting stats that the Netcraft survey does not produce."

  6. New Weighted Web Server Popularity Stats

    Tech · Apache · · posted by Hemos · from the check-it-out dept. · 0 comments
    ASP writes "SecuritySpace.com has added a new section to their web server survey that weighs servers by the popularity of sites they host (measured by link referrals from other sites). You can see the results here , they're a little different than the ENT survey results discussed on slashdot earlier. Disclaimer: I'm an employee of of the company that publishes SecuritySpace.com" This is an interesting way to break the information down, and add a bit of depth to things.

  7. MSIE's Cookies Are Public

    Yro · Privacy · · posted by jamie · from the who-else-has-known-about-this? dept. · 241 comments
    If you're using Microsoft Internet Explorer running on Microsoft Windows, turn off Javascript now. Your cookie file is readable by any hostile website. Or, if you'd like to see the security hole in action, leave Javascript on and check it out: "Open Cookie Jar." (read more)

    Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.

    Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.

    Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.

    Or, you could migrate to another browser or operating system...

    We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.

    After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."

    Newsbytes and CNET have picked up this story and have good writeups.

  8. MSIE's Cookies Are Public

    Yro · Privacy · · posted by jamie · from the who-else-has-known-about-this? dept. · 241 comments
    If you're using Microsoft Internet Explorer running on Microsoft Windows, turn off Javascript now. Your cookie file is readable by any hostile website. Or, if you'd like to see the security hole in action, leave Javascript on and check it out: "Open Cookie Jar." (read more)

    Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.

    Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.

    Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.

    Or, you could migrate to another browser or operating system...

    We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.

    After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."

    Newsbytes and CNET have picked up this story and have good writeups.