On Fri, 2003-10-24 at 00:22, Jared Mauch wrote:
On Fri, Oct 24, 2003 at 12:13:59AM -0400, Sean Donelan wrote:
http://www.securityfocus.com/news/7278
How many other ISPs intend to follow AOL's practice and use their connection support software to fix the defaults on their customer's Windows computers?
Sounds good to me. The potential for these users to be less-than-educated enough about the existance of this "feature" means that the potential for this to increase the overall network security is a good thing.
Does anyone know anything about what security has been put in place for this? These quotes troubled me: "So two weeks ago, AOL began turning the feature off on customers' behalf, using a self-updating mechanism in AOL's software." <snip> "Users are not notified of the change..." Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it exploitable? I think the intention is admirable, but it has the potential to be a real nightmare if implemented incorrectly. The fact that it can all happen without the knowledge of the end user means even a savvy users could get whacked if the underlying structure is insecure. C