[3149] in WWW Security List Archive
Re: SPAMS
daemon@ATHENA.MIT.EDU (Steff Watkins)
Mon Oct 7 05:46:44 1996
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
Date: Mon, 7 Oct 1996 08:10:45 +0100 (BST)
In-Reply-To: <3258169B.4E60@virtualscope.com> from "Dean Bowes" at Oct 6, 96 04:29:15 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Dean Bowes wrote:
=>
=>I don't appreciate being spammed or e-mailed someone's personal resume or job qualifications from the
=>www-security distribution list.
Hi Dean,
I think very few of us do. Your comments meet with my sympathies.
=>Who cares that you have a T1 in your house? I have one too. Doesn't
=>everybody?
No. Can I have one please????
=>Now consider this: If EVERYONE was using encrypted packets via SSL,
=>then what security issues are present?
From my understanding of SSL, its only 'real' contribution to web security
is that it protects data between the webserver and the remote browser. You
still have the issues of people trying to 'break' your cgi-bin programs
and gain unauthorised access,or information, from there.
Then there are issues such as 'denial of service' attacks. Did you know
that if you have a Linux'ed PC, such as I do, with a webserver then
running that webserver with the 'user_auth' option is a real bad move. A
lot of people out there are browsing using PCs, and when the webserver
calls back asking for a user ident, the PC just doesn't understand the
protocol. So, that instance of the webserver 'hangs' and the remote user
doesn't get their 'hit'. So, they restart the connection. That hangs. And
so on.. until your linux PC runs out of swap and crashes!!
Most webservers have a 'MaxServers' config option. Denial of service
attacks are really easy in this case, particulary with a windowed PC as
you just call as many browsers as can hold connections to the remote
system and just get them to keep reloading.
There are a load of other 'isues' that relate to the security of both the
server and the browser system; its not just about data 'in transit'.
Have fun.
Steff
: Steff Watkins, General Computer-type being
: University of Bristol, Clifton, Bristol, AVON, BS8 1TH, UK
:
: RFC-822 : Steff.Watkins@bris.ac.uk
: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
: Phone: +44 177 287869 (external) 3046 / 7869 (internal)
