From: "Geo" 

"Mike N."  wrote in message
news:8csqv0dtbp4itahvbfe8p059838s3108ed{at}4ax.com...
> On Sun, 30 Jan 2005 15:37:50 -0500, "Geo"
 wrote:
>
> >You cannot host .NET web sites where website owners are not trusted
users.
> >Allowing untrusted users to upload executable code to a webserver where
that
> >code cannot be strictly limited to just their site is counter to basic
> >security practices.
>
>    Is shared .NET web hosting inherently unsafe, or is it just
> mathematically impossible to prove it safe?  .NET is a bit different from
> the stupid earlier Microsoft default security of "it's ok to automatically
> execute activeX controls as long as they're signed".

Microsoft states that .NET security depends on secure practices by the
people coding .NET applications. As such since every program cannot be
checked and approved by a security expert when you are dealing with a 200
website public host server, it is inherently unsafe.

For example the .net stateserver cookie buffer overflow bug, because the
coder doesn't check input from a cookie it was possible to overflow a
buffer. In this case the coder was Microsoft but any input needs to be
checked and if web site owners can upload their own code, how do you know
they have done proper checking?

It's not something that is particular to .NET framework, it's the whole
concept of allowing users to upload code that executes on the server that
is the issue. With ASP, the code is very limited in what it can do and
there really isn't any real coding (it's more like html than C++) but once
you allow users to execute their own compiled applications on the server
you have crossed a line. No problem if it's your corp server because you
have trusted users but with webhosting you can't treat all the users as
trusted and still be able to assure the other users that their websites are
secure.

Geo.

--- BBBS/NT v4.01 Flag-5