Re: WWW Security Hole -- Bull!

Marc VanHeyningen ([email protected])
Thu, 12 Aug 1993 17:47:40 -0500


Marc A writes:
>SMTP is screwed, period. We can't fix it.

No. SMTP does exactly what it purports to do; it provides host-level
authentication (i.e. if someone SMTPs to my site, I can know what
address the connection came from.) While it's possible to compromise
this in some cases by impersonating hosts or damaging routers, it
certainly isn't the kind of attack that any high school geek with a
modem could perpetrate.

What WWW (and also Gopher) offers is something without precedent a few
years ago; a very general ability to pass around objects which, when
received, cause someone else to perform a particular network
transaction without being specifically aware of doing so, potentially
turning clients into gateways. Is it so surprising that there are new
security concerns? I'm amazed (and pleased) there have been so few
problems.

- Marc

--
Marc VanHeyningen  [email protected]  MIME, RIPEM & HTTP spoken here