Re: Java/Netscape security holes: hole du jour and summary

• To: www-security <www-security@ns2.rutgers.edu>
• Subject: Re: Java/Netscape security holes: hole du jour and summary
• From: Gene Ingram <gene@hpfsvr01.cup.hp.com>
• Date: Fri, 03 May 1996 10:24:23 -0700
• Cc: Chris Woods <cjwoods@paladin.com">cjwoods@paladin.com>, John Robert LoVerso <john@loverso.southborough.ma.us>
• Organization: Hewlett-Packard Co.
• References: <cjwoods@paladin.com> <199605021357.JAA03461@wire.paladin.com> <199605030235.WAA14818@loverso.southborough.ma.us> <199605031402.KAA07728@wire.paladin.com>
• Reply-To: www-security <www-security@ns2.rutgers.edu>

I think the confusion maybe between the first and subsequent Atlas beta.
They DID leave it in the ``Security'' preferences in the FIRST Atlas beta
on HP-UX version (as they did your versions of Unix), but somewhere along
the way, the toggles to disable/enable Java and JavaScript somehow migrated
into the ``Network'' preferences under ``languages.''  For example, in my
first Atlas beta for HP-UX operating system, they hadn't moved
Java/JavaScript yet, NOW I understand your initial response.

Their redesign surprised me, when downloading the LATEST Atlas beta, and I
wondered what ELSE they changed.  Well here's WHAT ELSE:  When applying for
a credit card using a secure server at http://www.bofa.com, I was not
allowed into the area where it allowed me to complete my application (a
secured area).  It gave me the error that the socket was already in use!  I
have NEVER had that problem before when logging onto a secured server!
HERE IS HOW I FIXED THE PROBLEM:

  Under ``Network'' preferences, I had to toggle the switch 
  ``Allow Persistent Caching of Pages Retrieved Through SSL'' 
  under the ``Cache'' tab.  Isn't that rich.  :-)

So there we have it, things have changed in more ways than may be apparent
on the surface.  I'm sure this ``persistent caching'' thing is a security
enhancement, and would appreciate it if someone could explain why it was
added.  It was only by accident that I discovered that the ``socket in
use'' error would prevent me from entering SOME secured sites (but not all,
as I was able to fill out a secured application on another server before
enabling ``Persistent Caching'' under ``Network'' preferences, ``Cache''
section.) I'm puzzled as to why ``Persistent Caching'' is needed in some
secured-server instances but not in others.

Like John LoVerso, I *don't think* JavaScript belongs in ``languages''
either.  My question remains, were these toggles moved out of ``Security''
because Netscape no longer considers them a security issue.

Gene

-- 
``Imagine if every Thursday your shoes exploded if you tied them 
  the usual way. This happens to us all the time with computers, 
  and nobody thinks of complaining.''  -Jeff Raskin

   ______                  gene@cup.hp.com
  /\__  _\                   ingram@pubs.holosys.com
  \/_/\ \/     ___      __   _ __    __      ___ ___
     \ \ \   /' _ `\  /'_ `\/\`'__\/'__`\  /' __` __`\
      \_\ \__/\ \/\ \/\ \L\ \ \ \//\ \L\.\_/\ \/\ \/\ \
      /\_____\ \_\ \_\ \____ \ \_\\ \__/.\_\ \_\ \_\ \_\
      \/_____/\/_/\/_/\/___L\ \/_/ \/__/\/_/\/_/\/_/\/_/
                        /\____/
________________________\_/__/____________________________________
PGP UserID: "Gene Ingram <gene@cup.hp.com>"
Key Size: 1024 bits; Creation date: 21 March 1996; KeyID: 9FEBA191
Key fingerprint:  93 E1 15 E6 35 BC B2 84  B2 7B 39 76 29 72 32 72

--3D signature created courtesy of ``Figlet Ascii Font Converter''
  <http://mediacube.datacom.de/cgi-bin/moniteurs/figlet>

• Re: Java/Netscape security holes: hole du jour and summary
• From: Jeff Weinstein <jsw@netscape.com>

• From:
• Re: Java/Netscape security holes: hole du jour and summary
• From: Chris Woods <cjwoods@paladin.com>
• From:
• From:

• Previous: Re: NCSA httpd bug before 1.5a?
• Next: Re: Your Message Sent on Thu, 2 May 1996 23:32:41 -0400
• Index(es):
  • Index
  • Thread