[3630] in WWW Security List Archive
Re: .htaccess created by CGI script... -Reply
daemon@ATHENA.MIT.EDU (Harris Demel)
Mon Nov 25 19:22:49 1996
Date: Mon, 25 Nov 1996 15:05:15 -0700
From: Harris Demel <HARRIS@novell.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I agree with Phill's philosophy of "trust no one and no product." The
whole gist behind being security-conscious is making judgement based
on how likely something could be cracked, which is saying "everything
has the potential to be cracked."
However, Phill, for the benefit of this list and its participants' interest, I
think what people have recommended as a pretty good security solution
is SSL, and I find value in these recommendations. I don't recall hearing
anyone claim SSL is _the_secure_solution_.
If you can judge the developers' competence by their
open-or-close-mindedness, then I guess that makes you a better man
than I. I can't help but wonder, have you even glanced at the source
code for SSL?
- Harris Demel
Novell, Inc. IS&T InnerWeb Webmaster
***************************
The above statements are mine and not necessarily my employer's.
>>> <hallam@sthelen.ai.mit.edu> 11/24/96 03:39pm >>>
>> I'd hardly call SSL "secure".
>Please explain what vunerabilities exist in SSL.
The burden of proof is the other way round, why should SSL be
considered secure? Until version 3.0 it was not being developed
by Jeff and Tahir, it was being developed by Marc and Kipp, neither
of whom were either particularly good at it or interested in
advice.
It is always necesssary to judge whether security is
sufficient for a particular application and situation. It
is not possible to supply "security" as a package.
It is however possible to supply insecurity as a packacge -
something which NIS, sendmail, NFS et al are all good at :-)
Phill
