From: Tom Weinstein <tomw@netscape.com>
Date: Thu, 4 Apr 1996 18:35:16 +0800
To: cypherpunks@toad.com
Subject: Re: Netscape 2.01 fixes server vulnerabilities by breaking the client...
In-Reply-To: <315C8FCB.2781@netscape.com>
Message-ID: <31636529.167E@netscape.com>
MIME-Version: 1.0
Content-Type: text/plain


Phil Karlton wrote:
> Rich Graves wrote:
> 
> > How about limiting URLs on non-blessed ports to, say, 64
> > alphanumeric characters? I'm sure the documentation writers and
> > technical support folks would hate you, but it should address these
> > concerns.
> 
> This is not good enough. Many people, feeling secure on their side of
> a firewall, put proprietary information in their .plan files. Since
> the the Navigator is running inside that firewall, we can't give
> access to that data to sources coming from outside the firewall. Given
> the many ways to construct a URL, the safest was to prevent any access
> to the finger port (along with a number of others).

Of course, this isn't really a good reason because there's no way to
get the information back out to the other side of the firewall.

As a matter of fact, limiting URLs as Rich suggests might in fact be
good enough.  It's one of the possibilities we'll be looking at for
reenabling finger and whois.

-- 
Sure we spend a lot of money, but that doesn't mean | Tom Weinstein
we *do* anything.  --  Washington DC motto          | tomw@netscape.com