[1067] in WWW Security List Archive
Re: NYT Article and Physical Security
daemon@ATHENA.MIT.EDU (John L. Bass)
Mon Oct 23 17:20:38 1995
Date: Mon, 23 Oct 95 11:58:32 -0600
From: jbass@dmsd.com (John L. Bass)
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Rick Smith writes:
> I posed the following question to the group:
>
> > This is where it gets back to WWW security. Are we trying to make WWW
> > safe for everyone right out of the box?
>
> John L. Bass replied:
>
> > In all Netscapes marketting hype for both clients and servers that seems to
> > be the express goal.
>
> More to the point, is this objective being embraced by the rest of the
> technical community? I don't see much evidence in it from the HotJava
> community overall, though there are a few voices in the security
> wilderness, even at Sun.
If the "technical community" existed as a single voice, single purpose
entity this might be a valid point of order ... but the fact is one major
segment of the technical community that is bring the rest of the
non-technical community into the information age via the information super
highway. At this point the non-techies out number the purists by atleast
10 to 1, and growing.
If the "technical community" has concerns about the security of general
www use by the non-techie population, those voices are few and are certainly
not being listened to. Better put the "technical community" doesn't seem
to care about the risks this industry is undertaking as long as they
can get rich in the process (or atleast get a high paying pay check).
>
> John L. Bass further noted:
>
> > As more and more IS depts proxy Netscape thru their firewalls I get even
> > more concerned that the "the security" of netscape SLL sessions is infact
> > the perfect cover for a well healed trojan horse. At one of my clients sites
> > they have a rigrous bastions, but pay little heed to the risks of a trojan
> > netscape client. At least telnet session can be logged in clear text, IS has
> > not idea what passes thru the gateway encrypted as an SSL session.
>
> An interesting point. There's a military guard system that decrypts
> encrypted data before release in order to check for improperly
> released information. But in practice it seldom makes sense to apply
> that level of control to corporate information. It's a legal and
> policy issue -- there's no case law nor documented loss that demands
> such measures in private transactions.
>
> Even if the Telnet information were plaintext, the sites with the most
> to lose couldn't afford to log very much traffic, even on high
> capacity DATs. And once the data was logged, there's little chance
> anyone would review the contents, except perhaps to look for evidence
> after the fact. Unless all traffic is logged, there's a good chance
> the incriminating traffic passed through without being saved. And some
> legal opinions (see Cheswick & Bellovin) question the court standing
> of computer log files that are not automatically collected for some
> business purpose. For example, if you turn on the logs just to to
> catch Joe, the courts might not accept the logs as evidence.
>
> Much of this is because of Telnet -- there's not structure to the
> interaction so you can't log "transactions" like you can log WWW page
> accesses. I generally recommend that people serious about security
> should shun Telnet and stick to better structured protocols when
> traversing a security boundary.
>
> Rick.
> smith@sctc.com secure computing corporation
>
More to the point, is that knowing a site is experiencing a security
breach, the secure nature of SSL prevents that site from diagnosing
the content of the traffic to verify the breach. This is not true of
clear text telent/ftp or specifically authorized encrypted tunnels
where the IS dept controls the entry/exit to the tunnel in router
based solutions.
It is unreasonable for EXACTLY the storage reasons you cite to demand
that sites maintain a copy of every bit created in a system in order
to present those which specifically pertain to a crime. This is like
requiring every motorist be stoped and searched in order to be able
to present the search findings for a few caught in some act.
The point remains uncontested that www clients using a secure protocol
make the ideal trojan horse. Especially when distributed over the net
in clear text or run from an NFS server.
John
