Re: WWW Security Hole

Marc VanHeyningen <mvanheyn@cs.indiana.edu>
From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
To: marca@ncsa.uiuc.edu (Marc Andreessen)
Cc: www-talk@nxoc01.cern.ch
Subject: Re: WWW Security Hole 
In-reply-to: Your message of "Thu, 12 Aug 1993 16:15:13 EST."
             <9308122115.AA21221@wintermute.ncsa.uiuc.edu> 
Date: Thu, 12 Aug 1993 16:53:18 -0500
Message-id: <3705.745192398@moose.cs.indiana.edu>
Sender: mvanheyn@cs.indiana.edu
Status: RO
Thus wrote: 
>rhb@hotsand.att.com writes:
>> What I'm more concerned with now is your comments on the insecurity
>> of WWW itself.  If this is clearly true, we will have to immediately
>> pull it off all our machines here (which we'll need to do if there
>> isn't a "comfortable" answer to this...).  Once this is done, I
>> suspect we'll never be able to put mosaic back.  I'm sure everyone
>> across the board in corporate settings will have to do so also, so
>> let's see if we can resolve this QUICKLY and satisfactorily to keep
>> WWW going strong.
>
>You run Unix and TCP/IP on your systems, accept the security risks
>therein, and yet think it's an crisis when it turns out that
>WWW/Mosaic/Gopher/etc. are no more secure than all the rest of the
>package?  Does that really make sense?

Yes.  AT&T uses firewalls up the wazoo.  Having objects imported
through a firewall which cause network transactions specified by
someone outside the wall to be performed within it have the effect of
bypassing its protection, and thus involves a lot more risks than
plain old FTP/SMTP/NNTP/etc.

- Marc
--
Marc VanHeyningen  mvanheyn@cs.indiana.edu  MIME, RIPEM & HTTP spoken here