AOL fixing Microsoft default settings

• Previous message (by thread): AOL fixing Microsoft default settings
• Next message (by thread): AOL fixing Microsoft default settings
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2003-10-24 at 00:22, Jared Mauch wrote:
> On Fri, Oct 24, 2003 at 12:13:59AM -0400, Sean Donelan wrote:
> > http://www.securityfocus.com/news/7278
> > 
> > How many other ISPs intend to follow AOL's practice and use their
> > connection support software to fix the defaults on their customer's
> > Windows computers?
> 
> 	Sounds good to me.  The potential for these users
> to be less-than-educated enough about the existance of
> this "feature" means that the potential for this to
> increase the overall network security is a good thing.

Does anyone know anything about what security has been put in place for
this? These quotes troubled me:

"So two weeks ago, AOL began turning the feature off on customers'
behalf, using a self-updating mechanism in AOL's software."
<snip>
"Users are not notified of the change..."

Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it
exploitable?

I think the intention is admirable, but it has the potential to be a
real nightmare if implemented incorrectly. The fact that it can all
happen without the knowledge of the end user means even a savvy users
could get whacked if the underlying structure is insecure.

C

• Previous message (by thread): AOL fixing Microsoft default settings
• Next message (by thread): AOL fixing Microsoft default settings
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]