1997-04-14 - Re: SSL weakness affecting links from pa

Header Data

From: Toto <toto@sk.sympatico.ca>
To: Tom Weinstein <tomw@netscape.com>
Message Hash: d89356bc69abd5a38f4c7c7186fd27d051ba81bcca0b673bab06d548ce5ad241
Message ID: <335273AE.391E@sk.sympatico.ca>
Reply To: <3.0.1.32.19970411230142.00643490@popd.ix.netcom.com>
UTC Datetime: 1997-04-14 18:19:31 UTC
Raw Date: Mon, 14 Apr 1997 11:19:31 -0700 (PDT)

Raw message

From: Toto <toto@sk.sympatico.ca>
Date: Mon, 14 Apr 1997 11:19:31 -0700 (PDT)
To: Tom Weinstein <tomw@netscape.com>
Subject: Re: SSL weakness affecting links from pa
In-Reply-To: <3.0.1.32.19970411230142.00643490@popd.ix.netcom.com>
Message-ID: <335273AE.391E@sk.sympatico.ca>
MIME-Version: 1.0
Content-Type: text/plain


Tom Weinstein wrote:
> Toto wrote:
> > Let's get real, here. Corporations add capabilities to their programs
> > that allow themselves and other 'major players' to have their way with
> > the user.
> >   When Joe Average, or a hacker/spammer takes advantage of the same
> > capability, then the vendors claim it is a 'bug', or that they can't
> > be blamed for the 'bad guys' use of this built-in function.
> 
> This is a security hole in the web site, not in the
> browser.  The browser follows the HTTP specification.  If you have a
> problem with that, contact the author of that specification.
> 
> In the eyes of some, the referer header is a privacy violation.  It
> allows a site to see what site you visited before coming there.

  And the Netscape default is to violate the user's privacy.

> This allows web sites to see who links to them.  I
> think that's something that a web author is entitled to know.

  Without notifying the user of your software that information
they may want to keep private is being given out? I don't think so.
  Why do you not instead require the web author to 'ask for 
permission' to know where the user last visited? Is it because
the user is just considered a pawn of business interests?
  
> So, you think we're doing something bad.  Why don't you tell me what
> you think we should do?

  My personal opinion is that you should inform your users of how,
when and why the use of your software does, or can, affect their
privacy. And you should give them an option of installing your
software with all privacy features set to 'on'.
  Give your users the option of not allowing their privacy to be
silently intruded on with no notification.

  The 'Cookie' situation is a good example of placing corporate
interests ahead of the interests of those who use a browser.
  The fact that the capacity to turn off cookie acceptance was
added after people found out and complained about their privacy
being violated is not something for companies to be proud of,
no matter how much their PR department may claim they are
championing privacy by adding these 'features'.

  I realize that the corporatization of the InterNet provides
certain benefits to users, but the fact of the matter is, the
cost of those benefits is being hidden from the users.
  I would just like to see a browser which informs the average
user in what way their information is being used and shared,
and gives them a way to protect themselves against intrusion
into their private lives and dissemination of their personal
information.

  Believe it or not, there may be users who stumble upon or
are suckered into going to a 'Bestiality and Child Perversion'
site who may not want to spread this information around.
  When I find out that a program's installation process has
stuck a hidden corncob up my ass, I'm not going to write them
a thank-you note if they later come up with a 'feature' to 
allow me to remove it.

  Please be advised that my email reply to you in no way indicates
a desire for my name to be sold to a 'Bestiality' mailing list,
despite whether or not this is part of some standard 'specification'
hidden in Netscape's fine print. (Cheap shot? Moi?)
  I use Netscape, and I like the different technologies being
developed that expand user's horizons. However, I would rather
be told what the cost is to have all of these 'free' capabilities,
and be given the option of bearing the burden of whatever increased
costs may arise by my not wanting to open my life and interests to
every operator of a roadside stand along the Information Highway.
-- 
Toto
"The Xenix Chainsaw Massacre"
http://bureau42.base.org/public/xenix/xenbody.html







Thread