FV, Netscape and security as a product
Nathaniel Borenstein
nsb at nsb.fv.com
Sat Feb 3 12:49:09 PST 1996
Excerpts from mail.cypherpunks: 31-Jan-96 Re: FV, Netscape and securi..
Jeff Weinstein at netscape. (985*)
> > Netscape and FV have both taken a
> > "security is a product" stance, which is a gross misrepresentation.
> We are definitely moving away from the "security is a product" stance
> that you mention. It was definitely overdone in the early days of the
> product, but after the security bugs of the summer I and others were
> able to convince marketing that they should back off. I want it to
> be clear what our product can and can not do. For example, SSL can
> only protect data in transit between two machines. If either machine
> is compromised then the data can be stolen at that end. Our product
> does not attempt to secure the user's machine, and can not operate
> securely on an insecure machine. Expect to see warnings and disclaimers
> of this nature from us in the future.
I applaud this clear, sensible, and correct statement. Nicely put, Jeff.
I don't think it's fair for Greg to characterize our approach as
"security is a product". Quite the contrary, we keep talking about
security as a *process*. It's made up of multiple layers, which may
include digital signatures, encryption, hard-to-sniff identifiers,
out-of-band mechanisms, confirmation loops, vigorous investigation of
attempted fraud, and probably many other things, not to mention more
"traditional" aspects of server-level security. -- Nathaniel
--------
Nathaniel Borenstein <nsb at fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq at nsb.fv.com
More information about the cypherpunks-legacy
mailing list