Re: WWW Security Hole -- Bull!

Robert Raisch <raisch@internet.com>
Date: Thu, 12 Aug 1993 16:15:22 -0400 (EDT)
From: Robert Raisch <raisch@internet.com>
Subject: Re: WWW Security Hole -- Bull!
To: www-talk@nxoc01.cern.ch
Message-id: <Pine.3.03.9308121622.A23538-b100000@ursa-major>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO

People say:

>>	I always suspected there might be a problem with the WWW paradigm
>>	regarding security; specifically, what if one of the protocols is
>>	general enough that commands specified in it could be legal for some
>>	other protocol?

and	

>>	WWW should be a safe place, where I can just point a beginner and have
>>	him wander around.  This needs to be fixed, fast.

and someone else mentions that telnet itself is inherently unsafe.

Let's face it folks, TCP/IP is unsafe.  We are not working with technology
which protects us from the wolves.  Anyone who is seriously concerned with
network security does not connect to the Internet. Period.

Ignoring the limitations of the underlying protocols for a moment, I have
said it before and I will say it again:

	We should not hobble our most important and powerful tools to
	compensate for the inadequacies of the legacy services on the
	net.  

	We can spoof sendmail.  Ok, fix sendmail and leave the tools
	alone.  I can use a sledgehammer to break into a house so 
	we make the possession of a sledgehammer a capital offence.  
	What utter nonsense!

	We can telnet to arbitrary ports using 'telnet.'  Ok, fix those
	services which run on those ports.  Crippling client software
	because the server is insecure is asinine.

	It's simply not our responsibility to restrict the first truly useful
	tools we have developed to manage the complexities of information
	navigation simply because the network has embraced hacks and 
	kludges instead of well developed services -- and if we take the tack 
	that it is, we swiftly become lost in thousands of twisty little 
	tunnels of paranoia, all alike.

	Mime and a few people's well intentioned but misguided efforts 
	notwithstanding.

Apologies to any offended, but this is a hot button with me.

	</rr>