Re: WWW Security Hole -- Bull!

Marc VanHeyningen <mvanheyn@cs.indiana.edu>

Mail folder: WWW Talk Jul-Oct 1993
Next message: rhb@hotsand.att.com: "Re: WWW Security Hole -- Bull!"
Previous message: rhb@hotsand.att.com: "Re: WWW Security Hole -- Bull! -- Bull!"
In-reply-to: Marc Andreessen: "Re: WWW Security Hole -- Bull!"

From: Marc VanHeyningen <mvanheyn@cs.indiana.edu>
To: www-talk@nxoc01.cern.ch
Subject: Re: WWW Security Hole -- Bull! 
In-reply-to: Your message of "Thu, 12 Aug 1993 15:48:29 EST."
             <9308122048.AA21121@wintermute.ncsa.uiuc.edu> 
Date: Thu, 12 Aug 1993 17:47:40 -0500
Message-id: <5842.745195660@moose.cs.indiana.edu>
Sender: mvanheyn@cs.indiana.edu
Status: RO

Marc A writes:
>SMTP is screwed, period.  We can't fix it.

No.  SMTP does exactly what it purports to do; it provides host-level
authentication (i.e. if someone SMTPs to my site, I can know what
address the connection came from.)  While it's possible to compromise
this in some cases by impersonating hosts or damaging routers, it
certainly isn't the kind of attack that any high school geek with a
modem could perpetrate.

What WWW (and also Gopher) offers is something without precedent a few
years ago; a very general ability to pass around objects which, when
received, cause someone else to perform a particular network
transaction without being specifically aware of doing so, potentially
turning clients into gateways.  Is it so surprising that there are new
security concerns?  I'm amazed (and pleased) there have been so few
problems.

- Marc
--
Marc VanHeyningen  mvanheyn@cs.indiana.edu  MIME, RIPEM & HTTP spoken here