Re: Insecure WWW Access Authorization Protocol?

michael shiplett <michael.shiplett@umich.edu>

Mail folder: WWW Talk Jan 94-present
Next message: Rob Earhart: "Re: Insecure WWW Access Authorization Protocol?"
Previous message: Tony Sanders: "Re: Insecure WWW Access Authorization Protocol? "
Maybe in reply to: Tony Sanders: "Re: Insecure WWW Access Authorization Protocol? "
Reply: Tony Sanders: "Re: Insecure WWW Access Authorization Protocol? "

Errors-To: listmaster@www0.cern.ch
Date: Tue, 8 Mar 1994 22:00:46 --100
Message-id: <199403082056.PAA27600@totalrecall.rs.itd.umich.edu>
Errors-To: listmaster@www0.cern.ch
Reply-To: michael.shiplett@umich.edu
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: michael shiplett <michael.shiplett@umich.edu>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: Insecure WWW Access Authorization Protocol? 
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 734

"ts" == Tony Sanders <sanders@BSDI.COM> writes:

ts> michael shiplett writes:

pl> beforehand is the URL, we must map the URL to a Kerberos
pl> principal.

ts> You cannot trust the URL anymore than you can trust the server
ts> reply.
  The URL is as trustworth as the source of the URL--whether the
source is in or out of band.

Examples:

a) A university or organization publication (e.g., a computing guide,
   faculty and staff newsletter, etc.) recommends that users without
   their own home pages default to
   http://www.our.domain.here/homepage.html.

b) A friend tells you about a great new service and suggests you
   that you try it.

  If you don't trust *any* URL, you may as forget about running a web
browser.

michael