cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1996-07-19 - Netscape 3.0B US version MD5 (was: Re: overseas PGPfone and Netscape)

Header Data

From: roy@sendai.scytale.com (Roy M. Silvernail)
To: iang@cs.berkeley.edu (Ian Goldberg)
Message Hash: 8abbb1d96f4db89a2290cdfda9c406cd018406450bc36ea6117866b17fc3fe25
Message ID: <960718.180506.7L4.rnr.w165w@sendai.scytale.com>
Reply To: <4slmrl$a80@abraham.cs.berkeley.edu>
UTC Datetime: 1996-07-19 04:54:07 UTC
Raw Date: Fri, 19 Jul 1996 12:54:07 +0800

Raw message

From: roy@sendai.scytale.com (Roy M. Silvernail)
Date: Fri, 19 Jul 1996 12:54:07 +0800
To: iang@cs.berkeley.edu (Ian Goldberg)
Subject: Netscape 3.0B US version MD5 (was: Re: overseas PGPfone and Netscape)
In-Reply-To: <4slmrl$a80@abraham.cs.berkeley.edu>
Message-ID: <960718.180506.7L4.rnr.w165w@sendai.scytale.com>
MIME-Version: 1.0
Content-Type: text


-----BEGIN PGP SIGNED MESSAGE-----

In list.cypherpunks, iang@cs.berkeley.edu writes:

<paranoia>

> This isn't just an issue of making sure your copy wasn't munged in transit;
> without checksums, what's stopping netscape from embedding the info you
> provide in the binary before shipping it to you, so that if it shows
> up on hacktic, they know who did it?

</paranoia>

<img src="SarcasticGrin.jpg">

I trust Netscape, but I also cut the cards...

[18:02] 1 [d:\tmp]:sendai# md5sum -b ns_inst.exe
0f4de3e744ec4e356ba9f8feb3ded7ec *ns_inst.exe

[18:03] 1 [d:\tmp]:sendai# dir ns_inst.exe

 Volume in drive D is unlabeled      Serial number is 4362:1EF5
 Directory of  d:\tmp\ns_inst.exe

ns_inst.exe   3008531   7-16-96  20:24
   3,008,531 bytes in 1 file(s)          3,010,560 bytes allocated
  10,551,296 bytes free


Their file delivery CGI could use some work... no reason I can see to
offer the filename 'pick.cgi' for everything.  Anyone sniffing the link
knows the filename from previous forms submissions, anyway.

OBRealCrypto:  What's the best method for authenticating successive
interactions with a CGI?  Currently, the password is being passed clear
as a hidden input field, but I have to believe there's a better way than
that.  One point is that the user will not be explicitly ending his
session, but just wandering off to other pages.
- -- 
           Roy M. Silvernail     [ ]      roy@scytale.com
PGP Public Key fingerprint =  31 86 EC B9 DB 76 A7 54  13 0B 6A 6B CC 09 18 B6
                Key available from pubkey@scytale.com

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMe7F1hvikii9febJAQErowP+Kk+3RTSSeovzP6NcJquaM3DDwcVt4j1G
KkXlKAAkQ2wTtueMeGsq4XNHf7bzwVOe2oMlqYTYzT2MIHgEvqbizrm3usCXeWK6
5iX1uIXnI3DDBuvCIZGkJs10wFJ6BvhHu3OxAsTadx5CwIMG1wDsLyIqoOs2wyV3
A4Ze99/SmpQ=
=tjRf
-----END PGP SIGNATURE-----

Thread