[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FV, Netscape and security as a product
Excerpts from mail.cypherpunks: 31-Jan-96 Re: FV, Netscape and securi..
Jeff Weinstein@netscape. (985*)
> > Netscape and FV have both taken a
> > "security is a product" stance, which is a gross misrepresentation.
> We are definitely moving away from the "security is a product" stance
> that you mention. It was definitely overdone in the early days of the
> product, but after the security bugs of the summer I and others were
> able to convince marketing that they should back off. I want it to
> be clear what our product can and can not do. For example, SSL can
> only protect data in transit between two machines. If either machine
> is compromised then the data can be stolen at that end. Our product
> does not attempt to secure the user's machine, and can not operate
> securely on an insecure machine. Expect to see warnings and disclaimers
> of this nature from us in the future.
I applaud this clear, sensible, and correct statement. Nicely put, Jeff.
I don't think it's fair for Greg to characterize our approach as
"security is a product". Quite the contrary, we keep talking about
security as a *process*. It's made up of multiple layers, which may
include digital signatures, encryption, hard-to-sniff identifiers,
out-of-band mechanisms, confirmation loops, vigorous investigation of
attempted fraud, and probably many other things, not to mention more
"traditional" aspects of server-level security. -- Nathaniel
--------
Nathaniel Borenstein <[email protected]>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: [email protected]