[Previous] [Next] [Index]
[Thread]
Re: Java/Netscape security holes: hole du jour and summary
Jeff Weinstein wrote:
>
> Gene Ingram wrote:
> > Their redesign surprised me, when downloading the LATEST Atlas beta, and I
> > wondered what ELSE they changed. Well here's WHAT ELSE: When applying for
> > a credit card using a secure server at http://www.bofa.com, I was not
> > allowed into the area where it allowed me to complete my application (a
> > secured area). It gave me the error that the socket was already in use! I
> > have NEVER had that problem before when logging onto a secured server!
> > HERE IS HOW I FIXED THE PROBLEM:
> >
> > Under ``Network'' preferences, I had to toggle the switch
> > ``Allow Persistent Caching of Pages Retrieved Through SSL''
> > under the ``Cache'' tab. Isn't that rich. :-)
> >
> > So there we have it, things have changed in more ways than may be apparent
> > on the surface. I'm sure this ``persistent caching'' thing is a security
> > enhancement, and would appreciate it if someone could explain why it was
> > added. It was only by accident that I discovered that the ``socket in
> > use'' error would prevent me from entering SOME secured sites (but not all,
> > as I was able to fill out a secured application on another server before
> > enabling ``Persistent Caching'' under ``Network'' preferences, ``Cache''
> > section.) I'm puzzled as to why ``Persistent Caching'' is needed in some
> > secured-server instances but not in others.
>
> This is why we do betas. You may have found a bug. When I connect
> to the SSL server at bofa I don't get the socket in use problem that
> you are referring to. Perhaps you could give me some more information
> such as what platform/operating system you are running on, and a URL
> that can be used to demonstrate the problem. Having caching disabled
> for SSL pages should not effect your ability to connect to a server,
> an if it is, then there is a bug. The reason the option was added
> is that some people want the performance benefits of caching for encrypted
> documents, while others do not want the documents stored in their
> disk cache. The fact that different people want different behaviour
> caused us to add an option.
>
I'm running under latest release of HP-UX, 10.xx. Jeff, I'm embarassed
to report that the bug has gone into hiding. :-( For what it's worth,
the bug occurred repeatedly last week, not just once. That's why I felt
confident in mentioning it. However, now that I have mentioned it, it's
gone. I do know this: the above bug disappeared AFTER I enabled
persistent caching. However, when disabling persistent caching, that
booger refuses to resurface. When it does, I'll send you a bug report.
> > Like John LoVerso, I *don't think* JavaScript belongs in ``languages''
> > either. My question remains, were these toggles moved out of ``Security''
> > because Netscape no longer considers them a security issue.
>
> There are many reasons why you might want to turn off javascript, and
> only one is related to security. For example if you want to stop those
> annoying messages from scrolling through your status bar.
>
> --Jeff
>
> --
> Jeff Weinstein - Electronic Munitions Specialist
> Netscape Communication Corporation
> jsw@netscape.com - http://home.netscape.com/people/jsw
> Any opinions expressed above are mine.
That's great news, and explains why you moved these toggles out of
Security preferences. We're making positive headway on the security
front. :-)
Gene
--
``Imagine if every Thursday your shoes exploded if you tied them
the usual way. This happens to us all the time with computers,
and nobody thinks of complaining.'' -Jeff Raskin
______ gene@cup.hp.com
/\__ _\ ingram@pubs.holosys.com
\/_/\ \/ ___ __ _ __ __ ___ ___
\ \ \ /' _ `\ /'_ `\/\`'__\/'__`\ /' __` __`\
\_\ \__/\ \/\ \/\ \L\ \ \ \//\ \L\.\_/\ \/\ \/\ \
/\_____\ \_\ \_\ \____ \ \_\\ \__/.\_\ \_\ \_\ \_\
\/_____/\/_/\/_/\/___L\ \/_/ \/__/\/_/\/_/\/_/\/_/
/\____/
________________________\_/__/____________________________________
PGP UserID: "Gene Ingram <gene@cup.hp.com>"
Key Size: 1024 bits; Creation date: 21 March 1996; KeyID: 9FEBA191
Key fingerprint: 93 E1 15 E6 35 BC B2 84 B2 7B 39 76 29 72 32 72
--3D signature created courtesy of ``Figlet Ascii Font Converter''
<http://mediacube.datacom.de/cgi-bin/moniteurs/figlet>
References: