[3344] in WWW Security List Archive
Re: Java Script
daemon@ATHENA.MIT.EDU (Adam Shostack)
Wed Oct 23 13:39:02 1996
From: Adam Shostack <adam@homeport.org>
To: jsw@netscape.com
Date: Wed, 23 Oct 1996 11:01:22 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <326D509D.7505@netscape.com> from "Jeff Weinstein" at Oct 22, 96 03:54:21 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Jeff Weinstein wrote:
|
|
| Royans K Tharakan wrote:
| > Many of you must be knowing that there is a security bug in Netscape which
| > allows the web page to send an E-Mail (and address goes along with it)
| > without warning the user.
| We found this problem a while ago, and it is fixed in
| the 3.01 release. You now get the warning dialog for all
| mailto: form submissions.
This sort of thing points out the need for signed code &
trusted software houses configurable at a sitewide level. Netscape's
encouraging users to turn on Javascript opens the enterprise to
weaknesses in the language. If the code needed to be signed, and site
admins could control whose code was executed, then these problems
would be more manageable; users could get LS from Netscape, their
company, and no one else.
Security is more than a bunch of check boxes in the users
browser. Strong authentication and authorization are important.
Adam
--
"Every year the Republicans campaign like Libertarians, and then go to
Wasthington and spend like Democrats."
Vote Harry Browne for President. http://www.harrybrowne96.org
