RE: Security Issues and Browsers from Geoff Baysinger on 1995-07-01 (www-html@w3.org from June 1995)

From: Geoff Baysinger <gbaysing@hiwaay.net>
Date: Fri, 30 Jun 95 20:19:59 CDT
To: a05wlehotz@attmail.com, www-html@www10.w3.org
Message-Id: <Chameleon.950630204447.gbaysing@sill'usion.hiwaay.net>
>Cana "Browser" be written so that a Network/Security Admin could "check"
>on the User?

If it's the admin on the user's end ... not without filtering all of the 
user's IP traffic, a very dirty process, would take a LOT of machine time 
and would definitely be a privacy issue ... I'd drop any service I 
thought was monitoring me (beyond the time online issue, which SHOULD be 
monitored by connect time, not traffic)

If you wanted to write your own browser and force the user to use it, 
then I suppose you could log all the statistics and have them sent to you 
... 

essentially the user would be unable to use other browsers, something I  
would like almost as little as having my traffic monitored, but it could 
do anything you requested below (which, to some extent AOL, and Prodigy 
do ... I believe Netcom now allows users to choose their browser.)

An option you MIGHT look into is using a Proxy server ... Cern and 
Netsite (from the makers of Netscape) make WWW servers that can be used 
as proxies ... a Proxy goes and gets the document for the user, then 
feeds it to their browser ... you could monitor alot, if not all, the 
information you wanted through server logs ... and you could hack the 
server code (if you can get it) to include anything your logs don't 
already keep ...

You'd HAVE to run your machine behind a firewall, which would then force 
the browsers to go to the proxy server (not all browsers support proxies, 
but they are becoming more common) ... Actually, if this option works 
(using a proxy server) I applaud that ... I would much rather have my 
time limited to actual traffic than to connect time if I had a -daily- 
limit ... but still dislike the idea of monitoring where the user goes!


On Fri, 30 Jun 1995 12:17:37 -0500 (CDT)  Willy Lehotz wrote:
>Question 1:
> 	Check one is the Time the user started a session.
> 	Check two is the IP the user requests
> 	Check three is lenght of "surf" time.
>       Check four did user "save to disk" any GIFS\JPG.

You can't do this (#4) -period- with a proxy server ... you would require 
homemade browser ... (why do you need to know this?)

>	Check five is end of session.
><see where I am going with this?>

Yes, and it's kinda scary

>
>Question 2:
>Can the browser be written to limit time <such as in a timer>?		

Well, as you may have guessed, you can write your browser to do whatever 
you want ... you could also probably do some hacking on a proxy server to 
only allow users to use it for a certain amount of time, and then feed a 
message that their time is up ... you'd probably have to use Cern as I 
doubt MCom (Netsite) would release their code without a CHUNK of change 
...
	
>
>Question 3:
>Can the browser output this information into a log file or could it 
>be configured to start up an internal "homepage" and the information be 
>captured at this point?

Hmm, almost all browsers can load a homepage automatically .. if you want 
it to be local to the user you would need to code that into the initial 
setup program, and not let the user edit it (not very easy, nor should it 
be, it's their machine). You could also write the browser to always go to 
a page on YOUR machine (the server), and each time it does so upload a 
log of their previous traffic, which would mean their data for previous 
traffic would never be -completely- up to date unless they start up their 
browser, then immediately shut it down....  You could also have an "exit" 
routine where, whenever the user closes the browser, it makes a quick 
connection to you to upload traffic data (it could be stored in memory, 
thereby making it much harder for the user to tamper with)

>
>Last question? 
>What would be a recommended program language for this task, <if it canbe 
>done at all>.

Well, it would probably whatever language you initial browser code was in 
.. probably C ... unless you want to start from scratch ..


>
> Willy Lehotz - Web Master in training
>USDA - Consolidated Farm Service Agency
>http://bbskc.kcc.usda.gov/cfsa.htm <Choose the CFSA BBS, Email to Sysop>
>E-Mail a05wlehotz@attmail.com
>Voice  816-823-1910
>
>

________________________________________________________
Sent on 06/30/95 at 20:20:00 by ...
GBaysing@HiWAAY.net ==   Geoff Baysinger
                         http://Fly.HiWAAY.net/~gbaysing
WWW@HiWAAY.net      ==   Webmaster-HiWAAY Info. Services
                         http://WWW.HiWAAY.net/
Received on Friday, 30 June 1995 21:43:02 UTC