[1038] in WWW Security List Archive
Re: NY Times Article
daemon@ATHENA.MIT.EDU (Daniel C. Fox)
Fri Oct 13 15:35:05 1995
Date: Fri, 13 Oct 1995 12:38:14 -0700
From: "Daniel C. Fox" <dfox@xylogics.com>
To: Charles Watt <watt@sware.com>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>How many of you downloaded your copy of the browser from the net?
You mean the non-exportable RC2 version that has been cracked in 100 hours?
1/2 :-)
>Rather, he
>was concerned about the attention devoted to the security of Netscape's SSL
>implementation, for it was obscuring the fact that the security of an
>electronic transaction depends upon ALL aspects effecting the security of
>the two end systems making the transaction, not just the transaction
>protocol.
Of course SSL is only one part of a security solution. And while NFS
being insecure has been known/obvious for a long time, I think the
average Netscape user did not know this, and so it is legitamite to
publish a paper on this subject. But Netscape is clearly living up to
its end of the bargain.
The implication is that Netscape is running a scam by claiming that it
can provide secure financial transactions when it can't. (Not my
implication and probably not the implication of the person I quoted, but
the implication is there).
Do Netscape docs (on-line or otherwise) include a lecture on security
issues that are outside of Netscape's control? (i.e., don't run over NFS,
don't download it over the Net, etc.) In not, Netscape should consider
this. It would provide a valuable service as well as demonstrate
Netcape's good motives. It could also attract more users to Netscape,
who are wary of using the security features because they don't
understand the security issues.
Remember that all security protocols and algorithms must begin with some
basic assumptions. Let's keep this in perspective. When run properly,
Netscape can be far more secure than a transaction conducted over the
phone (which can be easily tapped).
------------------------------------------------------------------------
Daniel C. Fox <dfox@xylogics.com>
Software Engineer Tel: +1 617-272-8140 +1 800-225-3317
Xylogics, Inc. Fax: +1 617-272-2618 Web: http://www.xylogics.com
