[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Netscape 2.01 fixes server vulnerabilities by breaking the client...
Phil Karlton wrote:
> Rich Graves wrote:
>
> > How about limiting URLs on non-blessed ports to, say, 64
> > alphanumeric characters? I'm sure the documentation writers and
> > technical support folks would hate you, but it should address these
> > concerns.
>
> This is not good enough. Many people, feeling secure on their side of
> a firewall, put proprietary information in their .plan files. Since
> the the Navigator is running inside that firewall, we can't give
> access to that data to sources coming from outside the firewall. Given
> the many ways to construct a URL, the safest was to prevent any access
> to the finger port (along with a number of others).
Of course, this isn't really a good reason because there's no way to
get the information back out to the other side of the firewall.
As a matter of fact, limiting URLs as Rich suggests might in fact be
good enough. It's one of the possibilities we'll be looking at for
reenabling finger and whois.
--
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything. -- Washington DC motto | [email protected]