Re: Java/Netscape security holes: hole du jour and summary

• To: jsw@netscape.com, www-security <www-security@ns2.rutgers.edu>
• Subject: Re: Java/Netscape security holes: hole du jour and summary
• From: Gene Ingram <gene@hpfsvr01.cup.hp.com>
• Date: Mon, 06 May 1996 11:10:05 -0700
• Organization: Hewlett-Packard Co.
• References: <cjwoods@paladin.com> <318A4147.BC8@cup.hp.com> <318BEBF3.4137@netscape.com>
• Reply-To: Gene Ingram <gene@hpfsvr01.cup.hp.com>

Jeff Weinstein wrote:
> 
> Gene Ingram wrote:
> > Their redesign surprised me, when downloading the LATEST Atlas beta, and I
> > wondered what ELSE they changed.  Well here's WHAT ELSE:  When applying for
> > a credit card using a secure server at http://www.bofa.com, I was not
> > allowed into the area where it allowed me to complete my application (a
> > secured area).  It gave me the error that the socket was already in use!  I
> > have NEVER had that problem before when logging onto a secured server!
> > HERE IS HOW I FIXED THE PROBLEM:
> >
> >   Under ``Network'' preferences, I had to toggle the switch
> >   ``Allow Persistent Caching of Pages Retrieved Through SSL''
> >   under the ``Cache'' tab.  Isn't that rich.  :-)
> >
> > So there we have it, things have changed in more ways than may be apparent
> > on the surface.  I'm sure this ``persistent caching'' thing is a security
> > enhancement, and would appreciate it if someone could explain why it was
> > added.  It was only by accident that I discovered that the ``socket in
> > use'' error would prevent me from entering SOME secured sites (but not all,
> > as I was able to fill out a secured application on another server before
> > enabling ``Persistent Caching'' under ``Network'' preferences, ``Cache''
> > section.) I'm puzzled as to why ``Persistent Caching'' is needed in some
> > secured-server instances but not in others.
> 
>   This is why we do betas.  You may have found a bug.  When I connect
> to the SSL server at bofa I don't get the socket in use problem that
> you are referring to.  Perhaps you could give me some more information
> such as what platform/operating system you are running on, and a URL
> that can be used to demonstrate the problem.  Having caching disabled
> for SSL pages should not effect your ability to connect to a server,
> an if it is, then there is a bug.  The reason the option was added
> is that some people want the performance benefits of caching for encrypted
> documents, while others do not want the documents stored in their
> disk cache.  The fact that different people want different behaviour
> caused us to add an option.
> 

I'm running under latest release of HP-UX, 10.xx.  Jeff, I'm embarassed 
to report that the bug has gone into hiding. :-(  For what it's worth, 
the bug occurred repeatedly last week, not just once.  That's why I felt 
confident in mentioning it.  However, now that I have mentioned it, it's 
gone.  I do know this:  the above bug disappeared AFTER I enabled 
persistent caching.  However, when disabling persistent caching, that 
booger refuses to resurface.  When it does, I'll send you a bug report.

> > Like John LoVerso, I *don't think* JavaScript belongs in ``languages''
> > either.  My question remains, were these toggles moved out of ``Security''
> > because Netscape no longer considers them a security issue.
> 
>   There are many reasons why you might want to turn off javascript, and
> only one is related to security.  For example if you want to stop those
> annoying messages from scrolling through your status bar.
> 
>         --Jeff
> 
> --
> Jeff Weinstein - Electronic Munitions Specialist
> Netscape Communication Corporation
> jsw@netscape.com - http://home.netscape.com/people/jsw
> Any opinions expressed above are mine.

That's great news, and explains why you moved these toggles out of 
Security preferences.  We're making positive headway on the security 
front.  :-)

Gene

-- 
``Imagine if every Thursday your shoes exploded if you tied them 
  the usual way. This happens to us all the time with computers, 
  and nobody thinks of complaining.''  -Jeff Raskin

   ______                  gene@cup.hp.com
  /\__  _\                   ingram@pubs.holosys.com
  \/_/\ \/     ___      __   _ __    __      ___ ___
     \ \ \   /' _ `\  /'_ `\/\`'__\/'__`\  /' __` __`\
      \_\ \__/\ \/\ \/\ \L\ \ \ \//\ \L\.\_/\ \/\ \/\ \
      /\_____\ \_\ \_\ \____ \ \_\\ \__/.\_\ \_\ \_\ \_\
      \/_____/\/_/\/_/\/___L\ \/_/ \/__/\/_/\/_/\/_/\/_/
                        /\____/
________________________\_/__/____________________________________
PGP UserID: "Gene Ingram <gene@cup.hp.com>"
Key Size: 1024 bits; Creation date: 21 March 1996; KeyID: 9FEBA191
Key fingerprint:  93 E1 15 E6 35 BC B2 84  B2 7B 39 76 29 72 32 72

--3D signature created courtesy of ``Figlet Ascii Font Converter''
  <http://mediacube.datacom.de/cgi-bin/moniteurs/figlet>

• From:
• Re: Java/Netscape security holes: hole du jour and summary
• From: Gene Ingram <gene@hpfsvr01.cup.hp.com>
• Re: Java/Netscape security holes: hole du jour and summary
• From: Jeff Weinstein <jsw@netscape.com>

• Previous: UNSUSCRIBE
• Next: Hacking a Personal Computer via E-mail
• Index(es):
  • Index
  • Thread