[1620] in WWW Security List Archive
Re: Netscape && FTP sites
daemon@ATHENA.MIT.EDU (Adam Shostack)
Wed Mar 13 15:29:50 1996
From: Adam Shostack <adam@bwh.harvard.edu>
To: seth@hygnet.com (Seth I. Rich)
Date: Wed, 13 Mar 1996 12:23:36 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <199603121800.NAA00266@arkady.hygnet.com> from "Seth I. Rich" at Mar 12, 96 01:00:45 pm
Errors-To: owner-www-security@ns2.rutgers.edu
If its anonymous, why do you care what the user sends? Its always
struck me as bizzare that 'anonymous' ftp expects a login or password;
why not offer service with no login procedure at all? Just show up,
grabs files, and leave.
Adam
Seth I. Rich wrote:
| Is it true that, when connecting to an anonymous FTP site, Netscape sends
| username anonymous and password "mozilla@<site>"? It was my understanding
| (in fact, the FTP sites I maintain say this explicitly) that the password
| specified is to be the email address of the person requesting (or submitting)
| the data. What I recall reading is that Netscape -always- sends this bogus
| address even if the user has entered her real address into the browser's
| configuration.
|
| Is this true? Does this seem like a problem to anyone else? Is it
| patchable?
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
