From: Toto <toto@sk.sympatico.ca>
Date: Sun, 13 Apr 1997 23:21:20 -0700 (PDT)
To: Tom Weinstein <tomw@netscape.com>
Subject: Re: SSL weakness affecting links from pa
In-Reply-To: <3.0.1.32.19970411230142.00643490@popd.ix.netcom.com>
Message-ID: <3351C568.4B7@sk.sympatico.ca>
MIME-Version: 1.0
Content-Type: text/plain


Tom Weinstein wrote:
> Bill Stewart wrote:
> > Thanks for the pointer to MS's security site; there's a lot of
> > good information there.
> >
> > I was highly unimpressed with Microsoft's Response:
> >         "It's Not A Security Flaw"
> >         "But Everybody Important Works Around It"
> >         "And we're fixing it in the next release"
> > without providing much detail about what's going on.
> > It does indicate what to look into to avoid it when writing web pages,
> > but it doesn't say how to avoid it when entering your credit card
> > number into a web page, or what to look for as a non-programmer user.
> 
> I basically agree with Microsoft.  It works as specified, and everyone
> should know that handling sensitive form posts via GET is a bad idea.
> 
> That said, there is certainly some merit to the argument that HTTP's
> "Referer:" is a privacy violation.  Therefore, we've added a preference
> to Communicator that allows you to turn it off.  Because of the late
> date there will be no UI, but if you are concerned about it, you can go
> into your prefs.js file (preferences.js on unix) and turn it off by
> adding the line:

  Nothing personal, but this is horseshit.
  I'm getting mighty tired of vendors claiming that the average user
is not getting hornswaggled by the new technology because they have
the option of becoming the world's foremost computer expert and 
disable all of the bullshit that is foisted upon them.
  I have yet to see an advertisement for a product that states that
the users, upon giving the vendor a pile of cash, will have a stick
shoved up their butt, but will also be able to remove it if they quit
their job and devote the rest of their life to figure out how to
disable intrusive computer mechanisms which intrude on their lives
and their privacy in a multitude of ways.

  Let's get real, here. Corporations add capabilities to their programs
that allow themselves and other 'major players' to have their way with
the user.
  When Joe Average, or a hacker/spammer takes advantage of the same
capability, then the vendors claim it is a 'bug', or that they can't
be blamed for the 'bad guys' use of this built-in function.

Major News Flash!!!
  If it is 'abuse' when I use it, then it is 'abuse' when the vendors
who programmed it that way use it, as well.

  I am awaiting the day when corporations and government finally 
resolve their differences and announce 'Cookie-Key Escrow'.
  I don't mind vendors implementing whatever schemes they choose,
I only resent their making the process obtuse and revealing what
they are doing only when getting 'caught' doing things in the
background that the average user might object to.
  Of course, I realize that I am being afforded the opportunity
to protect myself from unwanted intrusions by adding a "Fuck You"
line to my config.sys file, as long as I put it in front of the
second device file pointer which begins with the letter 'c', unless
it has more than two vowels in the line, in which case I have to
put my left foot behind my right ear and lick my balls twice.

  The bottom line? Why do I have to perform esoteric manipulations
to my system to defend myself from people I give money to in order
to be able to use that system?
  It sounds suspiciously like the protection rackets, to me.
-- 
Toto
"The Xenix Chainsaw Massacre"
http://bureau42.base.org/public/xenix/xenbody.html