> > Fred wrote:
> >Is there anyone who has analyzed this for security implications? Why
> >buy a nice, strong, iron door and then cut big holes in it? Scary
> >stuff, I think... I'd love to see anyone's work on examining this
> >sort of thing through a firewall (anyone's).
> Ken wrote:
> Well, to continue the analogy, the whole point of having a door instead
> of a wall is to be able to open it, when you want to. The point of a
> big iron door is not to let the other guy cut the holes.
I think Fred is asking, how big a hole are we cutting if we allow mosaic
through the firewall, big enough for a MAC truck or a moped.
> The big problem I see with things like Mosaic and Gopher is that the user
> is insulated from the actual network activity in a way not seen with
> protocols such as FTP and Telnet, in fact most users may not even be
> network literate; it's just a menu to them. Why this is a problem is
> that the user probably does not realize what's going on under the hood when
> he clicks on something.
The problem here is not the network activity which is the same as telnet
and ftp. The problem is what happens after you grab some file, script or
program that may subvert your security.
> However, the point is that with these kinds of clients, you are delegating
> some of the responsibility for your security to end users, becase each new
> application could add a similar hole that was open by default.
You are always delegating some responsibity for security to end users.
Allowing someone to bring in a file, script, or program on floppy or via
ftp could compromise security. How many folks grab postscript files and
run some postscript viewer on their system...
I am not convinced that mosaic makes the problem that much worse. I
would like someone to do some type of security assessment of mosaic and
httpd.
I just checked comp.security.* and didn't see anything.
geoff
Follow-Ups:
References:
|
|
