[1631] in WWW Security List Archive
Re: Netscape && FTP sites
daemon@ATHENA.MIT.EDU (Karl Boyken)
Thu Mar 14 14:12:03 1996
From: Karl Boyken <boyken@cs.uiowa.edu>
To: gene@hpfsvr01.cup.hp.com
Date: Thu, 14 Mar 1996 09:00:24 -0600 (CST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <31470919.1B6D@cup.hp.com> from "Gene Ingram" at Mar 13, 96 09:42:49 am
Errors-To: owner-www-security@ns2.rutgers.edu
Gene Ingram wrote, in part:
> ... (Just got the idea why can't ftp sites also
> finger email addressed given to see if it's valid before allowing anonymous
> access, sorry to think out loud..)
>
This isn't a very good solution. Some sites perceive finger information to be a
security risk and turn off fingerd.
Anonymous ftp passwords depend on user-supplied information, and it's a simple
matter for any anonymous ftp user to supply a bogus email address, whether their
using an ftp client or Netscape or whatever. The only semi-reliable information
ftpd receives at login is the originating site, and even that is open to
question, given the various types of spoofing that are possible.
--
Karl Boyken, sys. prog., Dept. of CS, 303A MLH, U. of Iowa, Iowa City, IA 52242
email: karl-boyken@uiowa.edu WWW: http://www.cs.uiowa.edu/~boyken/
voice: 319-335-2730 fax: 319-335-3017
