home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Internet
/
Collection of Internet.iso
/
infosrvr
/
dev
/
www_talk.930
/
000734_rik@daneel.rdt.monash.edu.au _Tue Mar 9 00:32:49 1993.msg
< prev
next >
Wrap
Internet Message Format
|
1994-01-24
|
3KB
Return-Path: <rik@daneel.rdt.monash.edu.au>
Received: from dxmint.cern.ch by nxoc01.cern.ch (NeXT-1.0 (From Sendmail 5.52)/NeXT-2.0)
id AA12797; Tue, 9 Mar 93 00:32:49 MET
Received: from daneel.rdt.monash.edu.au by dxmint.cern.ch (5.65/DEC-Ultrix/4.3)
id AA06598; Tue, 9 Mar 1993 00:50:23 +0100
Received: by daneel.rdt.monash.edu.au (5.57/Ultrix3.0-C)
id AA28984; Tue, 9 Mar 93 09:49:00 +1000
Message-Id: <9303082349.AA28984@daneel.rdt.monash.edu.au>
To: joe@athena.mit.edu
Cc: www-talk@nxoc01.cern.ch, tk-WWW@athena.mit.edu
Subject: Re: Any thoughts on exec: URL?
In-Reply-To: Your message of "08 Mar 93 09:37:59 EST."
<9303081437.AA21416@theodore-sturgeon>
Date: Tue, 09 Mar 93 09:48:59 +1100
From: Rik Harris <rik@daneel.rdt.monash.edu.au>
X-Mts: smtp
> In the next version of tkWWW, I'm planning to include an "exec:" URL
> header. If you select a tag with this header it will display the text
> at the end of the address and ask the user if it wants to execute it
> as a system call.
>
> Any thoughts? In particular, are there any security problems won't be
> fixed by asking the user whether or not to execute the command before
> doing so?
This is bringing the security problem down on the knowledge of the
user, which has never been a good idea (otherwise, password systems
would _work_). If the users don't understand what a command does, some
will never execute them (which is admittedly no worse than the current
situation), and some will always execute them, which doesn't provide
any security. I can see the neophytes looking at the box that popped
up with some gibberish, and saying that the Web is too complicated,
and then going back to gopher ;-)
Also, this will be extremely client specific. There's no advantage in
including the same extension in non-unix clients, as the exec will not
work in (say) VMS or MS-DOG. I'd like to see clients converge
towards a standard (or at least, have a standard converge towards
the clients), but this is not possible if URL's will only be useful
for one OS. It would also be annoying to maintain a different Web for
different clients.
You could probably make it work by designing a meta-language, that
could be implemented by each client. This way, you can build the
security in from the start, and not worry about unknowledgeable
users.
rik.
--
Rik Harris - rik.harris@fcit.monash.edu.au || Systems Programmer
+61 3 560-3265 (AH) +61 3 565-3227 (BH) || and Administrator
Faculty of Computing and Information Technology, || Vic. Institute of
Clayton Campus, Monash University || Forensic Pathology