Paul A Gauthier wrote:
Patrick Horgan wrote:
From: "K. M. Ellis" <kelli@zeus.towson.edu>
I'd love to see something in there about most commercial sites being behind firewalls without nfs access across the firewall. This greatly reduces the
It might also be worth noting that people accessing the net via an ISP from home do not typically use NFS either.
They don't often have the skill/knowledge/concern to verify a PGP checksum to ensure someone didn't patch their browser, either.
I don't believe that my posting of PGP signed checksums last night is a final solution that will make the world safe for all end users. I'm rather insulted that you imply that I do. If you read Markoff's article, you will see that we have stated that we are working on a more global solution.
People seem to miss that the NFS hack was only an _example_ of a powerful way to silently destroy the integrity of an executable. Spoofing the insecure FTP session they used to retrieve it works. Sending them a random trojan horse works. The point was not that NFS is insecure. It was that unless you can authenticate your executables as being trustworthy NOTHING ELSE MATTERS.
SSL, good RNGs for session key selection, etc, are all null and void if you run (any) untrusted software that patches your Netscape executable, for example, or if you got a bum copy to start with.
I think everyone agrees that if you don't check the bits you get from an insecure FTP session, or if you let a bad guy write to your disk, then you may be in trouble. The point is that you and a few reporters are running around yelling at the top of your lungs that internet commerce is totally doomed because it is possible for users to infect their systems with viruses. In the case of Netscape, users who are worried about their binary being infected during downloading could actually buy the product, either in their local computer store or from us directly. Perhaps you have a solution to offer to this whole problem? --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.