Re: WWW Security Hole -- Bull!

Robert Raisch (raisch@internet.com)
Thu, 12 Aug 1993 16:15:22 -0400 (EDT)


People say:

>> I always suspected there might be a problem with the WWW paradigm
>> regarding security; specifically, what if one of the protocols is
>> general enough that commands specified in it could be legal for some
>> other protocol?

and

>> WWW should be a safe place, where I can just point a beginner and have
>> him wander around. This needs to be fixed, fast.

and someone else mentions that telnet itself is inherently unsafe.

Let's face it folks, TCP/IP is unsafe. We are not working with technology
which protects us from the wolves. Anyone who is seriously concerned with
network security does not connect to the Internet. Period.

Ignoring the limitations of the underlying protocols for a moment, I have
said it before and I will say it again:

We should not hobble our most important and powerful tools to
compensate for the inadequacies of the legacy services on the
net.

We can spoof sendmail. Ok, fix sendmail and leave the tools
alone. I can use a sledgehammer to break into a house so
we make the possession of a sledgehammer a capital offence.
What utter nonsense!

We can telnet to arbitrary ports using 'telnet.' Ok, fix those
services which run on those ports. Crippling client software
because the server is insecure is asinine.

It's simply not our responsibility to restrict the first truly useful
tools we have developed to manage the complexities of information
navigation simply because the network has embraced hacks and
kludges instead of well developed services -- and if we take the tack
that it is, we swiftly become lost in thousands of twisty little
tunnels of paranoia, all alike.

Mime and a few people's well intentioned but misguided efforts
notwithstanding.

Apologies to any offended, but this is a hot button with me.

</rr>