This is a good reason for browsers to keep good log files of what they do.
Also, the big problem is the behind the users back aspect of <IMG>
retrieval. At least, with normal links the user can see the URL
before clicking on it. So paranoids might want to have browsers that
let them verify non-standard requests on these.
> In general, safety is more important than functionality. Period.
> That's why we have speed limits on roads, and that's why we need this
> fix.
I agree that this should be fixed. For gopher it seems reasonable to
limit access to only ports 70 and >1024. Sites that use ports <1024 that
aren't port 70 are broken. As far as I know there is only one that matters:
doppler.ncsc.org:71, big deal (allow 70 and 71 if you want). nic.ddn.mil:43
is the other and it's just a goophy gopher/whois port, all the information
is via the whois protocol, the gopher part is just fluffy user interface.
(BTW: for those of you "worried" about WWW, you should be worried about
gopherd, it has much bigger security holes per the CERT advisory).
MarcV -- do you know of any other security holes besides gopher?
I can't think of any off the top of my head.
--sanders