[3793] in WWW Security List Archive
Re: Netscape 'secret' codes and security implications
daemon@ATHENA.MIT.EDU (htorgema@novice.uwaterloo.ca)
Fri Dec 13 05:13:22 1996
From: htorgema@novice.uwaterloo.ca
Date: Fri, 13 Dec 1996 02:33:04 -0500 (EST)
To: Peter Choynowski <pkc@scs.carleton.ca>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199612111904.OAA22370@shadow.scs.carleton.ca>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 11 Dec 1996, Peter Choynowski wrote:
> I like to find out if people are aware of the above, and what is the
> feeling on using pre-compiled software of this type - should we start
> running the browser from a chroot env. :)
>
> P.S. Here are the URLs:
> http://home.netscape.com/people/jwz ( look at the following code )
>
> <ANIM KEY=zs7NzcrM1dfG29PM SALT=29PZ HASH=38jT68fN38hZ68lN01HRT2vnWdVX91NZZ1N3>
> <!-- Questions about the preceding line will be gleefully ignored. -->
First, the <ANIM> tag doesn't exist. What Netscape Navigator is doing is
to compare the URL given with something like "*.netscape.com/people/jwz".
FYO, in netscape 2.0x, to activate this, you simply had to create a
directory called "jwz".
If you like hidden features, then try to type "about:1994" in the location
line of your favorite browser.
I don't think these hidden features change anything..
You use a software because you trust it.
Of course, every software on your computer could do nasty things.
Some people need to see the source code to trust a program. Those people
won't use Netscape Navigator, nor Windows 95...
( And the chrooted environnement is only very slightly better: If Netscape
Navigator decide to try to use some well-know cgi-bin holes on every
server you visited, the chroot command won't help you.. )
Maybe Navigators should be signed by someone like Verisign... ;)
Just my 2 cents,
Henri
---------------
Henri Torgemane http://www.undergrad.math.uwaterloo.ca/~htorgema/
Never let your sense of morals prevent you from doing what is right.
-- Salvor Hardin, "Foundation"
