LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Bookmarks that carry authenticating arguements to wa

Jason Filley <[log in to unmask]>

Sun, 19 Dec 1999 22:10:46 -0600

text/plain (60 lines)

Greetings!

I didn't really want to jump in here, but I can't help myself.  Why exactly
are you allowing your users to access each other's personal files (viz.
bookmarks)?  Do you also allow them to access each other's mailboxes?  Is
your LISTSERV web-interface using an SSL connection?  Do you allow your
users to send SMTP mail commands to LISTSERV (I'd imagine so)?  Well, SMTP
travels in cleartext, so anyone on your network with a handy little sniffer
(NT's Network Monitor, for instance) can just sit there and watch the mail,
including passwords, flying over the network.  Where *exactly* is the
problem with bookmarks here?

From what you've said, it seems that your issue is that users in a poorly
secured environment can access each other's bookmarks (not LISTSERV's fault)
or that they can send their passwords to other people (not LISTSERV's
fault).  It looks to me as though you're just chasing windmills.  If your
list owners (or site manager, for that matter) can't be trusted to not send
passwords to large groups of strangers then don't make them owners.

And I've taken your advice and looked at it -- I've looked at it for 1 1/2
years now.  It works fine.

regards,
jason



----- Original Message -----
From: "lsvadmin" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Sunday, December 19, 1999 7:34 PM
Subject: Bookmarks that carry authenticating arguements to wa


I brought this up previously about the bookmark url's. The answers I
received from LSoft and from list members didnt do anything to address
my concerns, so I have spent the weekend researching and contacting
other security related lists overseas and here and the answer is pretty
much universal.

"If you are bookmarking the wrong thing, then I would consider it a major
security flaw in the product, but I have seen other interfaces that do the
same thing."

Whether you take notice of me or not is irrelevant, but these people are
widely respected in the security field. So please take notice of them. I
will provbide LSoft with a contact for the security list if required. And I
recommend that LSoft does so, then they can put it to security
professionals themselves about how concerned to be. I made no
mention of the product or company that I was questioning about, I didnt
want to cause any unwarranted backlash.

For here, I will be recommending that the Listserv web interface be used
only by administrators of Listserv until the web server it runs on is
secured enough to force a trustable validation from list owners using it.

sorry bout that folks, but you really need to look at this.

ICoS

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM