Re: WWW Security Hole -- Bull! -- Bull!

• Mail folder: WWW Talk Jul-Oct 1993
• Next message: Marc VanHeyningen: "Re: WWW Security Hole -- Bull! "
• Previous message: rhb@hotsand.att.com: "Re: WWWWW Notes"

From: rhb@hotsand.att.com
Date: Thu, 12 Aug 93 18:21:41 EDT
Original-From: hotsand!rhb (Rich Brandwein)
Message-id: <9308122221.AA16889@hotsand.dacsand>
To: www-talk@nxoc01.cern.ch
Subject: Re: WWW Security Hole -- Bull! -- Bull!
Status: RO

>  
>  Of course, if word becomes widespread that WWW allows firewalls to be
>  bypassed and security weaknesses to be exploited, corporate sites
>  running firewalls will be unwilling to allow HTTP packets pass through
>  for their users.  This is why it's important to fix it quickly; we
>  have already heard from at least one large company who could get rid
>  of WWW if it's seen as insecure.

Unfortunately, you're mechanism of alerting people to the problem may
in fact cause this message to spread.  We were aware of the CERT 
security bulletin (which didn't explain the problem, possibly
for secuity reasons).  A graphic example of the problem, which
you've put up, may have unintentionally caused more harm than good.
Instead of following the route of alerting Marc and other developers to the
problem and fixing it before word got out, we now have a situation
where we have known insecure clients (luckily word hasn't gone out
to the usenet list).   A CERT bulletin is around the corner - we're 
already patching as fast and as best we can, but ...

Rich Brandwein