Excerpts from mail.cypherpunks: 31-Jan-96 Re: FV, Netscape and securi.. Jeff Weinstein@netscape. (985*)
Netscape and FV have both taken a "security is a product" stance, which is a gross misrepresentation.
We are definitely moving away from the "security is a product" stance that you mention. It was definitely overdone in the early days of the product, but after the security bugs of the summer I and others were able to convince marketing that they should back off. I want it to be clear what our product can and can not do. For example, SSL can only protect data in transit between two machines. If either machine is compromised then the data can be stolen at that end. Our product does not attempt to secure the user's machine, and can not operate securely on an insecure machine. Expect to see warnings and disclaimers of this nature from us in the future.
I applaud this clear, sensible, and correct statement. Nicely put, Jeff. I don't think it's fair for Greg to characterize our approach as "security is a product". Quite the contrary, we keep talking about security as a *process*. It's made up of multiple layers, which may include digital signatures, encryption, hard-to-sniff identifiers, out-of-band mechanisms, confirmation loops, vigorous investigation of attempted fraud, and probably many other things, not to mention more "traditional" aspects of server-level security. -- Nathaniel -------- Nathaniel Borenstein <nsb@fv.com> Chief Scientist, First Virtual Holdings FAQ & PGP key: nsb+faq@nsb.fv.com