Re: WWW Security Hole -- Bull! -- Bull!

Tony Sanders <sanders@bsdi.com>

Mail folder: WWW Talk Jul-Oct 1993
Next message: mkgray@athena.mit.edu: "Re: solution time for www/smtp hole "
Previous message: Marc Andreessen: "Re: solution time for www/smtp hole "
Reply: William C Fenner: "Re: WWW Security Hole -- Bull! -- Bull! "

Errors-To: sanders@bsdi.com
Errors-To: sanders@bsdi.com
Message-id: <9308130044.AA16246@austin.BSDI.COM>
To: www-talk@nxoc01.cern.ch
Subject: Re: WWW Security Hole -- Bull! -- Bull! 
In-Reply-To: Marc VanHeyningen's message of Thu, 12 Aug 93 16:46:53 CDT.
Errors-To: sanders@bsdi.com
Reply-To: sanders@bsdi.com
Organization: Berkeley Software Design, Inc.
Date: Thu, 12 Aug 1993 19:44:01 -0500
From: Tony Sanders <sanders@bsdi.com>
Status: RO

> location of the request; say, the president or CEO or their
> company/University/etc.) and the contents of such mail sufficiently
> bad (say, brutal rape and death threats) it would not be difficult to
> envision having accounts yanked, being fired or expelled, and the like
> to happen to many people before the truth was discovered (if it ever
> was; depends how clever I was about it.)
This would never happen, a simple grep through the users files would find
the offensive data in the .mosaic-global-history file and from there it
wouldn't take a genius to figure out the rest.  The site serving the
offending data would probably have their net connection yanked in short
order until things could be sorted out.

This is a good reason for browsers to keep good log files of what they do.

Also, the big problem is the behind the users back aspect of <IMG>
retrieval.  At least, with normal links the user can see the URL
before clicking on it.  So paranoids might want to have browsers that
let them verify non-standard requests on these.

> In general, safety is more important than functionality.  Period.
> That's why we have speed limits on roads, and that's why we need this
> fix.

I agree that this should be fixed.  For gopher it seems reasonable to
limit access to only ports 70 and >1024.  Sites that use ports <1024 that
aren't port 70 are broken.  As far as I know there is only one that matters:
doppler.ncsc.org:71, big deal (allow 70 and 71 if you want).  nic.ddn.mil:43
is the other and it's just a goophy gopher/whois port, all the information
is via the whois protocol, the gopher part is just fluffy user interface.

(BTW: for those of you "worried" about WWW, you should be worried about
gopherd, it has much bigger security holes per the CERT advisory).

MarcV -- do you know of any other security holes besides gopher?
I can't think of any off the top of my head.

--sanders