pshanks
2007-10-24, 00:54
The idea of using hosts file entries to block illegitimate requests is sound, but it could be more flexible to co-exist with apps that dynamically alter the hosts file for other purposes (e.g., SSL-VPN clients).
I recommend adding a setting to the Advanced Config options to allow the user to set an alternate loopback address other than the default 127.0.0.1 for blocked site addresses, for example 127.0.0.99. Alternatively, make the default address something more unusual, like 127.0.0.251.
The reason is that software like Juniper Networks JSAM client listen on ports 80 and 443 of loopback addresses to tunnel requests to an SSL-VPN gateway. In fact, JSAM may use a whole range of 127.0.0.x addresses, depending on how it is configured. Such a configuration would not necessarily be seen at install time, because JSAM alters the hosts file dynamically and cleans up after itself on exit.
Users afflicted with spyware have enough problems without having unintended requests for "sexpicsporn.com" getting logged at webservers behind their SSL-VPN gateway. Allowing them to configure alternate loopback addresses could solve that problem.
An even more elegant approach would be to scan the registry at install time for known SSL-VPN clients, and give the user a opportunity to specify something other than 127.0.0.1 for the loopback address, based on what is found.
I recommend adding a setting to the Advanced Config options to allow the user to set an alternate loopback address other than the default 127.0.0.1 for blocked site addresses, for example 127.0.0.99. Alternatively, make the default address something more unusual, like 127.0.0.251.
The reason is that software like Juniper Networks JSAM client listen on ports 80 and 443 of loopback addresses to tunnel requests to an SSL-VPN gateway. In fact, JSAM may use a whole range of 127.0.0.x addresses, depending on how it is configured. Such a configuration would not necessarily be seen at install time, because JSAM alters the hosts file dynamically and cleans up after itself on exit.
Users afflicted with spyware have enough problems without having unintended requests for "sexpicsporn.com" getting logged at webservers behind their SSL-VPN gateway. Allowing them to configure alternate loopback addresses could solve that problem.
An even more elegant approach would be to scan the registry at install time for known SSL-VPN clients, and give the user a opportunity to specify something other than 127.0.0.1 for the loopback address, based on what is found.