LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Bookmarks that carry authenticating arguements to wa

Roger Fajman <[log in to unmask]>

Sun, 19 Dec 1999 21:41:04 -0500

text/plain (42 lines)

> I brought this up previously about the bookmark url's. The answers I
> received from LSoft and from list members didnt do anything to address
> my concerns, so I have spent the weekend researching and contacting
> other security related lists overseas and here and the answer is pretty
> much universal.
>
> "If you are bookmarking the wrong thing, then I would consider it a major
> security flaw in the product, but I have seen other interfaces that do the
> same thing."
>
> Whether you take notice of me or not is irrelevant, but these people are
> widely respected in the security field. So please take notice of them. I
> will provbide LSoft with a contact for the security list if required. And I
> recommend that LSoft does so, then they can put it to security
> professionals themselves about how concerned to be. I made no
> mention of the product or company that I was questioning about, I didnt
> want to cause any unwarranted backlash.
>
> For here, I will be recommending that the Listserv web interface be used
> only by administrators of Listserv until the web server it runs on is
> secured enough to force a trustable validation from list owners using it.
>
> sorry bout that folks, but you really need to look at this.
>
> ICoS

It's beyond me just what you are expecting here.  When there's the need
for a login, as with the LISTSERV web interface, the security
association needs to be remembered somehow.  LISTSERV does it with a
token in the URL.  This token is good only for a short time, so
bookmarking it does no harm (or good).  LISTSERV can't stop someone
from bookmarking anything they want, users will be encouraged not to do
that anyway, as they will soon find that the bookmarks don't work for
more than a few minutes.  Cookies are another way that it might be
done, but many people dislike cookies and disable them.  I don't see
that a cookie is a more secure approach.  It's more likely to be
sitting on the machine for a long time.  Just remembering an IP address
is not enough, because there can be multiple users on one machine and,
as mentioned before, there may be a proxy in the way.

So what do you see as a better solution to the problem?

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM