Re: WWW Security Hole

Marc VanHeyningen <>
From: Marc VanHeyningen <>
To: (Marc Andreessen)
Subject: Re: WWW Security Hole 
In-reply-to: Your message of "Thu, 12 Aug 1993 16:15:13 EST."
Date: Thu, 12 Aug 1993 16:53:18 -0500
Message-id: <>
Status: RO
Thus wrote: 
> writes:
>> What I'm more concerned with now is your comments on the insecurity
>> of WWW itself.  If this is clearly true, we will have to immediately
>> pull it off all our machines here (which we'll need to do if there
>> isn't a "comfortable" answer to this...).  Once this is done, I
>> suspect we'll never be able to put mosaic back.  I'm sure everyone
>> across the board in corporate settings will have to do so also, so
>> let's see if we can resolve this QUICKLY and satisfactorily to keep
>> WWW going strong.
>You run Unix and TCP/IP on your systems, accept the security risks
>therein, and yet think it's an crisis when it turns out that
>WWW/Mosaic/Gopher/etc. are no more secure than all the rest of the
>package?  Does that really make sense?

Yes.  AT&T uses firewalls up the wazoo.  Having objects imported
through a firewall which cause network transactions specified by
someone outside the wall to be performed within it have the effect of
bypassing its protection, and thus involves a lot more risks than
plain old FTP/SMTP/NNTP/etc.

- Marc
Marc VanHeyningen  MIME, RIPEM & HTTP spoken here