From: Robert Hettinga <rah@shipwright.com>
Date: Wed, 11 Dec 1996 20:16:16 -0800 (PST)
To: cypherpunks@toad.com
Subject: NEWS: Web Security Hole Revealed
Message-ID: <v0300784baed5373421d5@[206.119.69.46]>
MIME-Version: 1.0
Content-Type: text/plain



--- begin forwarded text


X-Sender: okeefe@olympus.net
Mime-Version: 1.0
Date: Wed, 11 Dec 1996 19:32:32 -0800
To: N E W S   R E L E A S E  <IPS@olympus.net>
From: "Steve O'Keefe" <IPS@olympus.net>
Subject: NEWS: Web Security Hole Revealed

BREAKING NEWS
For Release Thursday, December 12, 1996

MAJOR  WEB  SECURITY  FLAW  REVEALED

(New York) -- Edward Felten, head of Princeton University's
Safe Internet Programming Team (SIP), today revealed a
major security flaw in the Internet's World Wide Web.
Called "web spoofing," the breach allows any Internet
server to place itself between a user and the rest of the
web. In that middle position, the server may observe, steal
and alter any information passing between the unfortunate
browser and the web.

All major web browsers are vulnerable to web spoofing,
including Netscape Navigator and Microsoft Internet
Explorer. Using web spoofing, a person can acquire
passwords, credit card numbers, account numbers, and other
private information, even if transmitted over an apparently
secure connection.

The Boston Globe published an article about Felten's
findings in this morning's "Plugged In" column. The story
was written by Simson Garfinkel, technology columnist for
HotWired's "Packet" news service. The complete story can be
found at the following URL:

http://www.boston.com/globe/glohome.shtml

Felten will be demonstrating web spoofing TODAY, Thursday,
December 12, at the Internet World expo at the Jacob K.
Javits Convention Center in New York City. The
demonstration will be held at the Wiley Computer Publishing
Booth (#822) at 2:00 pm Eastern Time.

The web flaw is just the latest in a series of major
Internet security problems uncovered by Felten and his
team. Felten documents some of these problems in his new
book, "Java Security: Hostile Applets, Holes, and
Antidotes" to be published in January by Wiley Computer
Publishing. For an advance review copy of the book, simply
reply to this e-mail. For further information, please
contact:

Edward Felten: felten@cs.princeton.edu
(917) 972-3693 (cellular phone at Internet World)
(609) 258-5906 (Princeton University)

Jeffrey DeMarrais: jdemarra@wiley.com
Wiley Computer Publishing
(212) 850-6630 (review copies, interviews)

Java Security Web Site:
http://www.rstcorp.com/java-security.html

Safe Internet Programming Web Site:
http://www.cs.princeton.edu/sip/

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com)
e$, 44 Farquhar Street, Boston, MA 02131 USA
"The cost of anything is the foregone alternative" -- Walter Johnson
The e$ Home Page: http://www.vmeng.com/rah/