RE: Security Issues and Browsers

Geoff Baysinger (gbaysing@hiwaay.net)
Fri, 30 Jun 95 20:19:59 CDT


>Cana "Browser" be written so that a Network/Security Admin could "check"
>on the User?

If it's the admin on the user's end ... not without filtering all of the
user's IP traffic, a very dirty process, would take a LOT of machine time
and would definitely be a privacy issue ... I'd drop any service I
thought was monitoring me (beyond the time online issue, which SHOULD be
monitored by connect time, not traffic)

If you wanted to write your own browser and force the user to use it,
then I suppose you could log all the statistics and have them sent to you
...

essentially the user would be unable to use other browsers, something I
would like almost as little as having my traffic monitored, but it could
do anything you requested below (which, to some extent AOL, and Prodigy
do ... I believe Netcom now allows users to choose their browser.)

An option you MIGHT look into is using a Proxy server ... Cern and
Netsite (from the makers of Netscape) make WWW servers that can be used
as proxies ... a Proxy goes and gets the document for the user, then
feeds it to their browser ... you could monitor alot, if not all, the
information you wanted through server logs ... and you could hack the
server code (if you can get it) to include anything your logs don't
already keep ...

You'd HAVE to run your machine behind a firewall, which would then force
the browsers to go to the proxy server (not all browsers support proxies,
but they are becoming more common) ... Actually, if this option works
(using a proxy server) I applaud that ... I would much rather have my
time limited to actual traffic than to connect time if I had a -daily-
limit ... but still dislike the idea of monitoring where the user goes!

On Fri, 30 Jun 1995 12:17:37 -0500 (CDT) Willy Lehotz wrote:
>Question 1:
> Check one is the Time the user started a session.
> Check two is the IP the user requests
> Check three is lenght of "surf" time.
> Check four did user "save to disk" any GIFS\JPG.

You can't do this (#4) -period- with a proxy server ... you would require
homemade browser ... (why do you need to know this?)

> Check five is end of session.
><see where I am going with this?>

Yes, and it's kinda scary

>
>Question 2:
>Can the browser be written to limit time <such as in a timer>?

Well, as you may have guessed, you can write your browser to do whatever
you want ... you could also probably do some hacking on a proxy server to
only allow users to use it for a certain amount of time, and then feed a
message that their time is up ... you'd probably have to use Cern as I
doubt MCom (Netsite) would release their code without a CHUNK of change
...

>
>Question 3:
>Can the browser output this information into a log file or could it
>be configured to start up an internal "homepage" and the information be
>captured at this point?

Hmm, almost all browsers can load a homepage automatically .. if you want
it to be local to the user you would need to code that into the initial
setup program, and not let the user edit it (not very easy, nor should it
be, it's their machine). You could also write the browser to always go to
a page on YOUR machine (the server), and each time it does so upload a
log of their previous traffic, which would mean their data for previous
traffic would never be -completely- up to date unless they start up their
browser, then immediately shut it down.... You could also have an "exit"
routine where, whenever the user closes the browser, it makes a quick
connection to you to upload traffic data (it could be stored in memory,
thereby making it much harder for the user to tamper with)

>
>Last question?
>What would be a recommended program language for this task, <if it canbe
>done at all>.

Well, it would probably whatever language you initial browser code was in
.. probably C ... unless you want to start from scratch ..

>
> Willy Lehotz - Web Master in training
>USDA - Consolidated Farm Service Agency
>http://bbskc.kcc.usda.gov/cfsa.htm <Choose the CFSA BBS, Email to Sysop>
>E-Mail a05wlehotz@attmail.com
>Voice 816-823-1910
>
>

________________________________________________________
Sent on 06/30/95 at 20:20:00 by ...
GBaysing@HiWAAY.net == Geoff Baysinger
http://Fly.HiWAAY.net/~gbaysing
WWW@HiWAAY.net == Webmaster-HiWAAY Info. Services
http://WWW.HiWAAY.net/