Anzio in a web page

Wed Apr 5 12:09:43 PDT 2006

Y'all catch dis heeyah?  Walter Vaughan been jivin' 'bout like:
> I changed the URI to ssh: instead of telnet: and pointed to one of our
> FreeBSD servers. It seems like it should to work that way, except I get
> an error message

I couldn't believe what you were saying, so I tried it myself.

This app needs some security issues addressed.

1) You can copy the form, use 'x' sites codebase (and presumably licenses
I'm guessing since you wouldn't want everyone using your web site to have
to purchase their own license or have a nag screen--at the very least,
bandwidth spent retrieving the app) to connect to places they don't intend
on your connecting to.  The destination should be hardwired into the
configuration on the server with no possibility of retrieval from remote or
mutability from a third party.

2) I was easily able to retrieve the .def file, and had there been a
password present, I'd have direct access to a username and password for an
account.  Someone might not -want- anyone coming in except from the web
page application.  In any event, I can't think of a situation outside of
public access systems like a library where giving out passwords is a good
idea.  The definition file should be irretrievable via the web server, and
therefore unavailable for human consumption.

The opportunities for cross-site scripting and account theft are abundant
as it stands right now.  I'd never deploy this in production on that basis
alone.  Unless it can be locked so that none of the user credentials are
ever obtainable, and so that the destination is immutable, it's a complete
no-go from a security standpoint, IMHO.  

Installation probably won't fly with Firefox.  I have the ActiveX module
installed, and every time there's been an ActiveX control to install, I've
needed to use IE to install it, and then it works with Firefox.  This was
the case with both iVocalize and GameSpy's downloader (used with gamespy
and direct2drive).  Firefox won't do the installation bits, at least from
what I've seen, even with the module.  In this case, I used IE6 to install
and test.  Firefox still won't actually use it.  Must be bound more tightly
to the browser than the other two apps (which will actually run standalone,
so I surmise that the whole thing is an ActiveX control, rather than -just-
the installer).  About all the Firefox ActiveX module has ever been good
for is playing inline multimedia files, honestly, so this isn't really
Anzio's fault.  Although I'd say that going with Java would have been
significantly more compatible.  And MS continues to lose browser market
share.  Not sure ActiveX was a wise choice--anyone wanting to deploy this
more or less will need to mandate IE.  That's going to be a bigger
detractor than it would have been one or two years back.

No offense.  You asked for opinions; those're mine.

mark->