From: Nathaniel Borenstein <nsb@nsb.fv.com>
Date: Sun, 4 Feb 1996 04:49:09 +0800
To: jsw@netscape.com>
Subject: Re: FV, Netscape and security as a product
In-Reply-To: <199601311753.JAA18008@darkwing.uoregon.edu>
Message-ID: <sl4wCvKMc50e95ghMA@nsb.fv.com>
MIME-Version: 1.0
Content-Type: text/plain


Excerpts from mail.cypherpunks: 31-Jan-96 Re: FV, Netscape and securi..
Jeff Weinstein@netscape. (985*)

> > Netscape and FV have both taken a
> > "security is a product" stance, which is a gross misrepresentation.

>   We are definitely moving away from the "security is a product" stance
> that you mention.  It was definitely overdone in the early days of the
> product, but after the security bugs of the summer I and others were
> able to convince marketing that they should back off.  I want it to
> be clear what our product can and can not do.  For example, SSL can
> only protect data in transit between two machines.  If either machine
> is compromised then the data can be stolen at that end.  Our product
> does not attempt to secure the user's machine, and can not operate
> securely on an insecure machine.  Expect to see warnings and disclaimers
> of this nature from us in the future.

I applaud this clear, sensible, and correct statement.  Nicely put, Jeff.

I don't think it's fair for Greg to characterize our approach as
"security is a product".  Quite the contrary, we keep talking about
security as a *process*.  It's made up of multiple layers, which may
include digital signatures, encryption, hard-to-sniff identifiers,
out-of-band mechanisms, confirmation loops, vigorous investigation of
attempted fraud, and probably many other things, not to mention more
"traditional" aspects of server-level security.  -- Nathaniel
--------
Nathaniel Borenstein <nsb@fv.com>
Chief Scientist, First Virtual Holdings
FAQ & PGP key: nsb+faq@nsb.fv.com