On Thu, 6 Jun 96 11:36:49 +0200, Martin Hauser wrote:
> OK - this seems to work, but how secure is it? Are there any specs available
> for this compuserve protocol (Compuserve has not been responsive for such
> requests in the past)? Before opening a hole in the wall it would be nice to
> know more about the protocol.
Not as far as I know.
This is a problem with any protocol for which no specifications are
available and/or for which no application gateway with fine grain
controls exist (this holds even for standard protocols -- I would like
to see a stateful packet filter check for ~ escapes in nntp control
messages which INN likes to send via /bin/mail ...!)
Most online services use proprietary data streams which can not be
verified, no matter which way they are accessed (via modem/isdn lines
or via the internet).
Some risks using them over the Internet are not much different as when
using dialup lines: Can it up (or down) load arbitrary files? Does the
MSN client have a built in scanner to find software from competitors or
unlicensed copies of Microsoft products? Does/can anyone (outside the
vendor) know for *sure*??
Other risks may be higher when using the Internet: sniffing, traffic
analysis, session hijacking and server spoofing come to mind. This
may be more prominent on the Internet, but then remember that modern
telephone switches are only computers, too ...
You'll have to consider the risks and decide if it is secure enuff.