Fundamental Netscape hack
Of course, one of the most serious security problems with Netscape servers is that they run on machines sitting out there on the Internet where anybody who can browse their services can attack them - that 128-bit bullet-proof iron-clad front door isn't much help if the garage door is unlocked because of some sendmail bug. For most web applications, the big security need is to send a chunk of encrypted data to some server that will decrypt it and get you credit-card number or whatever, but the standard SSL and S/HTTP protocols want to decrypt the data to plaintext on the Web server before it can do anything like that. (OK, I guess this doesn't win me a T-Shirt, since enough other people have said similar things, but do I at least get a gif of the shirt and a crayon so I can roll my own? :-) Good work, folks! #--- # Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com # Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281 #---
(OK, I guess this doesn't win me a T-Shirt, since enough other people have said similar things, but do I at least get a gif of the shirt and a crayon so I can roll my own? :-) Good work, folks!
GIFs of the shirt will be available on the web page as soon as they are designed. (Times like these make me wish I owned a mac.) -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 An Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
-----BEGIN PGP SIGNED MESSAGE----- On Tue, 19 Sep 1995, Bill Stewart wrote:
Of course, one of the most serious security problems with Netscape servers is that they run on machines sitting out there on the Internet where anybody who can browse their services can attack them - that 128-bit bullet-proof iron-clad front door isn't much help if the garage door is unlocked because of some sendmail bug.
Or- even easier yet- improper httpd installation or users who have not been properly trained. NCSA's default configuration file makes document root a subtree. One major institution I deal with regularly (and the administrators should know better) changed the default setting, allowing users to store html files in their home directory. And, it seems, the file permissions were too lax. If a user had no index.html then I could just cruise through their home directory, view most files and, in some (inappropriate) cases, download them. I told the administrator, and mailed him a copy of a user's address book (she was a friend and knew what I was doing before I did it). The situation has changed and is now more secure. But I wonder how many other institutions have an inappropriate DocumentRoot so (I guess) users can have a "single home directory"? =========================================================================== Henry W. Farkas | Me? Speak for IBM? Fat chance. hfarkas@ims.advantis.com |------------------------------------------------ hfarkas@vnet.ibm.com | http://newstand.ims.advantis.com/henry henry@nhcc.com | http://www.nhcc.com/~henry - --------------------------------------------------------------------------- PGP 6.2.2 Key fingerprint: AA D0 F5 44 C1 8C 11 52 B3 80 34 1C CE 38 EC 53 Public key at: pgp-public-keys@pgp.mit.edu, and other popular key servers. - --------------------------------------------------------------------------- Brought to you by Henry's Hardware: Home of the Pretty Good Hack "We're not fast, but it's not bad, and we're cheaper than the guy down the street!" =========================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Auto-signed with Bryce's Auto-PGP v1.0beta iQCVAwUBMF7nGKDthkLkvrK9AQEIbwQAl7k86Tk4gY/KU9JYS4lyI63fH4lJYTHw +Pl85cx3M/RI/kO8N9ZaUih4Hh+8CnNl7xA6NWtURfcSuCCgW3mrdRbKT8KTW/3M hohmv3yyyU2Ot24B4hb2/lZN5s/fR2JMdsWhKoZdm19xnlQIMBjidP6zxcavE/JC GNbJm94mBIA= =L0lD -----END PGP SIGNATURE-----
participants (3)
-
Bill Stewart -
Henry W. Farkas -
sameer