[1635] in WWW Security List Archive
Re: Netscape && FTP sites
daemon@ATHENA.MIT.EDU (Paul Rarey)
Thu Mar 14 14:45:39 1996
Date: Thu, 14 Mar 1996 08:57:30 -0800
From: Paul Rarey <Paul.Rarey@Clorox.com>
To: Karl Boyken <boyken@cs.uiowa.edu>
Cc: gene@hpfsvr01.cup.hp.com, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Karl Boyken wrote:
>
> Gene Ingram wrote, in part:
>
> > ... (Just got the idea why can't ftp sites also
> > finger email addressed given to see if it's valid before allowing anonymous
> > access, sorry to think out loud..)
> >
>
> This isn't a very good solution. Some sites perceive finger information to be a
> security risk and turn off fingerd.
>
> Anonymous ftp passwords depend on user-supplied information, and it's a simple
> matter for any anonymous ftp user to supply a bogus email address, whether their
> using an ftp client or Netscape or whatever. The only semi-reliable information
> ftpd receives at login is the originating site, and even that is open to
> question, given the various types of spoofing that are possible.
It would seem "anonymous" and "who are you" oxymorons.
