XMosaic client vs. The Firewall

• To: www-security@ns1.rutgers.edu
• Subject: XMosaic client vs. The Firewall
• From: mark@hsi.com (Mark Sicignano)
• Date: Mon, 25 Jul 1994 20:59:07 -0400
• Cc: schaller@hsi.com, palmer@hsi.com, kenney@hsi.com, king@hsi.com, lang@hsi.com
• In-Reply-To: Walt Drummond <drummond@aristarchus.rutgers.edu> "This list (was Re: Humble apologies to all)" (Jul 25, 6:01pm)

Well, let me start out by asking some questions.  We've been using the 
WWW for roughly 9 months now...  We have the X version of Mosaic running.
Our access is currently being threatened by a firewall.

We aren't running a server as of yet, just the Mosaic client. (v2.4 I believe).

Most of the specific concerns raised by our IT group (they administer
our systems) seem to be addressed by the following document:

<a href="http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/Docs/security.htm">
Security concerns about Mosaic</a>, a page at NCSA, makers of Mosaic.

However, there seems to be a fear that running the NCSA Mosaic client
poses a significant risk, and since xmosaic is a large program, it may still 
contain "yet to be discovered" holes.  There is also a feeling that 
the CERN Proxy isn't adequate either.  They are currently recommending to
upper management that we disable access to the WWW until a firewall consultant
which we are working with can install a "verifiably secure" proxy which they
are currently working on, but we aren't sure if it will be delivered on time.

I'm on the other end of the debate along with many other WWW users at my
site, who feel that while there is always some risk involved, in this case
it isn't so significant that it outweighs the benefits of having access to
the Web.  Hypothetically, there *could* be more holes in mosaic, but that
doesn't justify, in my mind, pulling the plug on it.

I'm looking for:

   1)  Pointers to info on WWW security.

   2)  Testimonials for or against Mosaic's robustness (particularly the X
       client.)

   3)  Info on how you handled the trade-offs at your site, between
       the risks involved vs the benefits of having access.

   4)  ...any discussion that ensues that will teach me more
       about this topic which is fairly new to me....


-mark
--
   Security is mostly a superstition.  It does not exist in nature,
   nor do the children of men as a whole experience it.  Avoiding
   danger is no safer in the long run than outright exposure.  Life
   is either a daring adventure, or nothing.

                          -- Hellen Keller

(ya, I know Hellen Keller didn't have the Internet in mind when she came
 up with this, but I liked it anyway.  ;-)

• Re: XMosaic client vs. The Firewall
• From: "David I. Dalva" <dave@tis.com>

• From:

• Previous: Re: digest?
• Next: Hello!
• Index(es):
  • Index
  • Thread