Re: WWW Security Hole

Marc VanHeyningen (mvanheyn@cs.indiana.edu)
Thu, 12 Aug 1993 16:53:18 -0500


Thus wrote:
>rhb@hotsand.att.com writes:
>> What I'm more concerned with now is your comments on the insecurity
>> of WWW itself. If this is clearly true, we will have to immediately
>> pull it off all our machines here (which we'll need to do if there
>> isn't a "comfortable" answer to this...). Once this is done, I
>> suspect we'll never be able to put mosaic back. I'm sure everyone
>> across the board in corporate settings will have to do so also, so
>> let's see if we can resolve this QUICKLY and satisfactorily to keep
>> WWW going strong.
>
>You run Unix and TCP/IP on your systems, accept the security risks
>therein, and yet think it's an crisis when it turns out that
>WWW/Mosaic/Gopher/etc. are no more secure than all the rest of the
>package? Does that really make sense?

Yes. AT&T uses firewalls up the wazoo. Having objects imported
through a firewall which cause network transactions specified by
someone outside the wall to be performed within it have the effect of
bypassing its protection, and thus involves a lot more risks than
plain old FTP/SMTP/NNTP/etc.

- Marc

--
Marc VanHeyningen  mvanheyn@cs.indiana.edu  MIME, RIPEM & HTTP spoken here