Re: Suggestion for a new URL type

Rob Raisch <raisch@ora.com>
Date: Sat, 26 Jun 1993 15:59:37 -0400 (EDT)
From: Rob Raisch <raisch@ora.com>
Subject: Re: Suggestion for a new URL type 
To: "William M. Perry" <wmperry@nectarine.ucs.indiana.edu>
Cc: www-talk@nxoc01.cern.ch
In-reply-to: <8346.741121113@nectarine.ucs.indiana.edu>
Message-id: <Pine.3.03.9306261536.R5397-b100000@amber.ora.com>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

I strongly disagree.  The security issue is inherent in the network, not
in URLs. We should not attempt to scale some moral high ground simply to
stop up some possible security holes, which are not ours to stop up in the
first place. 

The answer to insecure network services is to make them more secure, not
to limit the deployment and usefulness of URLs. 

If a dedicated cracker wishes to break the system, I would suggest that
writing an HTML document, and using that as a lock pick on doors which
have no locks to begin with, would be a marvelous exercise in stupidity.

	</rr>

On Sat, 26 Jun 1993, William M. Perry wrote:

>    What about security?  What if some bozo decided to put a url like:
> 
> tcp://some.generic.news.server:nntp/line#1\nCODE TO FORGE NEWSGROUP\n...
> 
> or
> 
> tcp://some.generic.news.server:25/HELO some.host\nRCPT TO: root\nMAIL
> FROM: stupid.user\nDATA\n Hey bozo - <Very derogative statements> Love
> - stupid.user\n.\nQUIT\n
> 
> And called it something like "Man Pages For Ultrix"?
> 
> Could lead to some interesting discussions with your local sysadmin if
> you clicked on that second one. :)
> 
> I talked with Marc Vanheyningen about this a few months ago, and he
> convinced me that it would be a _BAD THING_ to do something like this.
> Not that there are many bozos out there that would do one of the
> above, but it would only take one or two to cause some real trouble.
> 
> -Bill Perry