[3821] in WWW Security List Archive
Re: web server's security -Reply
daemon@ATHENA.MIT.EDU (Mark G. Scheuern)
Tue Dec 17 13:52:39 1996
Date: Tue, 17 Dec 1996 10:33:00 -0500
From: "Mark G. Scheuern" <mgscheue@oakland.edu>
To: DAVE SANDERS <DSANDERS@fusn.com>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
DAVE SANDERS wrote:
> As far as I know it doesn't matter what platform you run the server on, it
> is the integrity of the web serving software. I think you need to be
> looking at what software you want to run and then pick your hardware.
> Most servers are cross compatible over different platforms. (Except
> Microsoft, unless you count NT running on MIPS and ALPHA.) :)
Both the web server software and other facets of the server need to be
secure. The HTTP server can be as secure as can be but you'll still
have a problem if, say, you're running an old version of sendmail that
can be exploited. Lincoln Stein, in his WWW Security FAQ
(http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html), argues
that Unix boxes are more likely to have problems simply because they do
more and are more complex.
> On the second question, my provider offers logging of this information, IF
> it exists. On my logs I don't get any name information. I think it relies
> entirely on the browser end and how the user set it up and whether they
> set it up with a name or email. (Can someone else clarify this?)
JavaScript bugs and the like aside, normally there is no way to log this
information. RFCs 1413 and 931 describe an identification protocol, but
it requires running identd on the client's host. This info, if present,
sets the REMOTE_IDENT environment variable, assuming that the server
supports the protocol as well.
Mark
