From: Scott Brickner <sjb@universe.digex.net>
Date: Mon, 15 Jan 96 14:05:17 PST
To: Jeff Weinstein <jsw@netscape.com>
Subject: Re: (none) [httpd finding your identity]
In-Reply-To: <30F8596B.5611@netscape.com>
Message-ID: <199601152204.RAA18827@universe.digex.net>
MIME-Version: 1.0
Content-Type: text/plain


Jeff Weinstein writes:
>The snoop program is using FTP to find out the user's e-mail
>address.  The image on the page is an ftp: URL.  Our FTP code
>was sending the user's e-mail address as the password for
>anonymous FTP, which is the usually requested by FTP sites.
>The perl script was waiting for the FTP to happen, and then
>looking at its log to figure out the email address.
>
>  I've removed the code that uses the e-mail address as the
>FTP password for anonymous FTPs.  You can still enter it by
>hand by using a URL of this form 'ftp://anonymous@ftp.netscape.com'.
>This will cause the navigator to prompt the user for the 
>password to send for anonymous.  This is a little known feature
>that will also allow users to access non-anonymous ftp
>accounts via netscape.

Or you can use 'ftp://anonymous:password@ftp.netscape.com/', and
skip the prompt.  Not really less secure (assuming you can prevent
shoulder surfers) as FTP sends the password in the clear, anyway.