Greetings! I didn't really want to jump in here, but I can't help myself. Why exactly are you allowing your users to access each other's personal files (viz. bookmarks)? Do you also allow them to access each other's mailboxes? Is your LISTSERV web-interface using an SSL connection? Do you allow your users to send SMTP mail commands to LISTSERV (I'd imagine so)? Well, SMTP travels in cleartext, so anyone on your network with a handy little sniffer (NT's Network Monitor, for instance) can just sit there and watch the mail, including passwords, flying over the network. Where *exactly* is the problem with bookmarks here? From what you've said, it seems that your issue is that users in a poorly secured environment can access each other's bookmarks (not LISTSERV's fault) or that they can send their passwords to other people (not LISTSERV's fault). It looks to me as though you're just chasing windmills. If your list owners (or site manager, for that matter) can't be trusted to not send passwords to large groups of strangers then don't make them owners. And I've taken your advice and looked at it -- I've looked at it for 1 1/2 years now. It works fine. regards, jason ----- Original Message ----- From: "lsvadmin" <[log in to unmask]> To: <[log in to unmask]> Sent: Sunday, December 19, 1999 7:34 PM Subject: Bookmarks that carry authenticating arguements to wa I brought this up previously about the bookmark url's. The answers I received from LSoft and from list members didnt do anything to address my concerns, so I have spent the weekend researching and contacting other security related lists overseas and here and the answer is pretty much universal. "If you are bookmarking the wrong thing, then I would consider it a major security flaw in the product, but I have seen other interfaces that do the same thing." Whether you take notice of me or not is irrelevant, but these people are widely respected in the security field. So please take notice of them. I will provbide LSoft with a contact for the security list if required. And I recommend that LSoft does so, then they can put it to security professionals themselves about how concerned to be. I made no mention of the product or company that I was questioning about, I didnt want to cause any unwarranted backlash. For here, I will be recommending that the Listserv web interface be used only by administrators of Listserv until the web server it runs on is secured enough to force a trustable validation from list owners using it. sorry bout that folks, but you really need to look at this. ICoS