Re: WWW Security Hole

brian@eitech.com (Brian Smithson)
Date: Thu, 12 Aug 93 14:52:22 PDT
From: brian@eitech.com (Brian Smithson)
Message-id: <9308121452.ZM18573@eitech.com>
In-Reply-To: "William M. Perry" <wmperry@cs.indiana.edu>
        "Re: WWW Security Hole" (Aug 12,  3:33pm)
References: <21805.745187594@hammerhead.cs.indiana.edu>
X-Mailer: Z-Mail (2.1.4 02apr93)
To: www-talk@nxoc01.cern.ch
Subject: Re: WWW Security Hole
Status: RO
Pardon me if this is horribly ignorant, but couldn't the WWW browser make an
attempt to identify the service to which it has connected?

Let's take Gopher as an example. Upon initial connection, Gopher doesn't
identify itself upon with something like "Welcome to gopher at <host.domain>",
and in fact, it says nothing when you connect to it.  That makes it kind of
difficult to make a positive identification, but a WWW browser can expect
to _not_ get a message back saying something like:

220 <host.domain> Sendmail 5.64/3.14 ready at <date>

or

200 <host.domain> news server ready - posting ok

Any unexpected messages like these should cause the browser to have second
thoughts about continuing the connection.  I haven't looked at every
service, but most seem have been modelled after the command/response
mechanism used in ftp and smtp, and they identify themselves upon initial
connection.

Admittedly, it is a real pain for a browser to validate services, but
it could skip validation if the connection was being made to the port which 
is normally associated with the service (e.g. 70 for Gopher).

Comments?

-- 
-Brian Smithson                                          brian@eitech.com
 Enterprise Integration Technologies                      +1 415 617 8009
 459 Hamilton Avenue, Palo Alto, CA 94301 USA         FAX +1 415 617 8019