[588] in WWW Security List Archive
re:ncsa security problems
daemon@ATHENA.MIT.EDU (Kenneth Rowe)
Fri Apr 14 12:40:58 1995
Date: Fri, 14 Apr 1995 08:33:31 -0400 (EDT)
From: Kenneth Rowe <kerowe@cs.umbc.edu>
To: Paul Phillips <psphilli@sdcc8.UCSD.EDU>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.3.89.9504131656.A22453-0100000@sdcc8.ucsd.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
I would concur that both CERN and NCSA servers
"probably" have security problems. Nor is it
appropriate to start down the thread of "this is
better than that" without performing a real security
analysis of the servers.
Certainly there is a need to "patch" NCSA httpd 1.3
to fix high risk holes. But no amount of patching
will substitute for the development and implementation
of a security architecture.
Beth Frank and I have already started discussions on
security concerns for httpd 1.4. I am expecting that
to continue. It is very encouraging to hear the level
of concern on the internet for a "secure" WWW server.
That was not even close to being a high priority requirement
during the original NCSA development (correct me if I'm wrong
about that Rob).
Actually, there is a lot of stuff that is Right with
both the CERN and NCSA Server. Kudos to Rob for
the basic security mechanisms that are in place on the
NCSA server.
Don't forget that a lot of the "holes" being talked about
are of major concern only when you run/start-up httpd
with root privileges.
(I have just started at NCSA on a part time basis and will
be on board full time starting 5 June --- you should expect
to hear a lot more from NCSA then)
Ken
----------------------------------------------------------
Kenneth E. Rowe (kerowe@ncsa.uiuc.edu)
Senior Security Engineer / Security Coordinator
Computing and Communications Group
National Center for Supercomputing Applications
----------------------------------------------------------
