TBTF for 1995-12-02: Security/privacy breach fixed; essential tools

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Previous message: Keith Dawson: "TBTF for 1995-11-29: Dissing Java; Netscape 2.0b3; savvy search"

Netscape 2.0b2 allows serious privacy breach; fixed in 2.0b3

Scott Weston <scott at tripleg dot com dot au> discovered a gaping security hole in
Netscape's second beta that can result in a chilling loss of privacy. He
reported it to Netscape and they have fixed it already; the problem does
not manifest in beta 3. (I hope they pay him the $1000 under their Bugs
Bounty program.) The problem is in LiveScripts, a facility new in 2.0 for
cross-platform scripting of events, objects, and actions. LiveScripts are
small programs you put into your web page that can be executed by a Net-
scape client. There is no direct way for these programs to send informa-
tion back to the owner of the web page, but Scott found a back-door way to
do so, outlined in <b2-privacy-bug.html>.

Now Netscape has been painfully attuned to the publicity surrounding its
previous security glitches (see TBTF for 1995-09-27, 1995-09-20, and 1995-08-21
in the archive), and as a result has been startlingly responsive to reported
problems. But Scott was taking no chances.

Follow the directions in the Scott's posting to visit his page, using a
beta 2 browser -- any platform will do. You will see a transcript of every
action you've taken in your current Netscape session. This is massively
scary. The page contains a log of captured sessions from previous visitors,
including one from a hapless soul who loads an X-rated .gif file, appar-
ently as a screen background, when his/her browser starts. This stark fact
is splashed across Scott's site for all the world to see. The page includes
a form for mailing comments directly to Netscape. I'll bet they got some
good ones.

Moral: Java may be secure (opinions vary), but a scripting language im-
plemented in Java has no automatic claim to safety. TBTF for 1995-11-29
touches on one solution, which is to let downloaded code execute only in
a locked room.

Someday your style sheets will come

A recent thread in the Apple Internet Authoring forum explored the way the
Netscape HTML extensions are bending the practice of Web authoring. Jeffrey
Veen <jeff at hotwired dot com> succinctly described the forest we're in and point-
ed out the trail of breadcrumbs represented by HTML style sheets. Jeffrey's
posting appears on the TBTF archive by permission.

Style sheets were proposed for HTML 3 but didn't make the cut; the feature
is now listed as a candidate for 3.1. While one can't be too exact, because
there is as yet no agreed-upon functional definition for style sheets, they
are intended to offer the Web author a way to specify the desired appear-
ance of HTML code for each kind of client browser.

Some companies are developing alternatives for those unwilling to wait for
HTML 3.1. Maxum Development, located in suburban Chicago, offers a package
called NetCloak for the Macintosh MacHTTP and StarNine servers -- see
<http://www.maxum.com/NetCloak/>. NetCloak provides 30 new commands that
you can use in HTML documents, executed on the server at the time a docu-
ment is sent to the client. This lets you create dynamic, conditional (but
not portable) HTML pages. NetCloak lists for $195. A recent poster to the
Apple Internet Authoring forum described his site's adoption of NetCloak:

> ...I soon purchased NetCloak, then went through and hid frame-non-
> essential/frame-bad text with <hide_client Mozilla2> statements
> (along with a bunch of other browser-specific tweaking, mainly hiding
> images from Lynx and replacing animations with static gifs for every-
> body but Netscape 1.1x and Netscape 2x). Now my site is unified _and_
> frames-capable. No more double updates of data. Hooray. Background
> colors, frames, targeted imagemaps, server-pushes, tables, the whole
> nine--based on your browser's capability... I'll be rolling out some
> forms in the near future...

Attention IPO jockeys

Institutional Investor plans to launch a newsletter covering Wall Street and
the Internet, and they're looking for help in defining its content, publica-
tion frequency, and medium of distribution. They seem to be thinking about
a subscription price in the low four figures. (Maybe I'm in the wrong line
of work...) Survey at <http://edgar.stern.nyu.edu/survey.html>.

Essential Tools: BrowserWatch; HTML syntax validators

This number marks the debut of a new feature, Essential Tools. From time to
time I'll briefly review on-Net resources that I've found useful in devel-
oping Web content, or in keeping an eye on Web standards and trends. Event-
ually these will be collected on the archive site.

• BrowserWatch: see <http://www.ski.mskcc.org/browserwatch/>. Dave
  Garaffa's site maintains exhaustive statistics on the flavor of browser used by its
  visitors (currently more than 30 browsers in more than 140 versions). The
  site also tracks the features supported by various browsers, lists known
  and suspected bugs, and conveys "net.fame" on the first person to report
  each bug.
  

• HTML syntax validators: Yahoo lists eight packages or services to syntax-check
  and otherwise validate HTML: Unusual for Yahoo, this compilation
  is a touch stale: the author of one listed tool is no longer supporting it,
  and my own favorite validator is not on the list. See
  <http://www.halsoft.com/html-val-svc/>, a free service of HAL Soft-
  ware (a Fujitsu company). You can type or paste HTML into a form or you
  can point the validator at any reachable URL. There are options to check
  against the criteria for HTML 1, 2, 3, "Mozilla" (i.e., Netscape), and
  HotJava. There is also a check against "Strict" criteria. Nothing I've
  ever submitted has passed this latter test; I suspect that the Strict
  subroutine looks something like { return(FALSE); }.
  
  An interesting package on Yahoo's list, from EIT, is an assembly kit
  for a worm that will flexibly check all outbound links from a given URL.
  See <http://wsk.eit.com/wsk/dist/doc/admin/webtest/verify_links.html>.
  

Followup: Netback -- introducing Surety

John Finlayson <johnf at findog dot HQ dot ileaf dot com> writes to introduce Surity Tech-
nologies -- see <http://www.surety.com/about-surety.html>. John argues that
Surety's service is more innovative than Netback's, and it's unarguably
cheaper. The copmpany was spun out of Bellcore in 1993 to commercialize
patented "Digital Notary" technology that the founders, Scott Stornetta
and Stuart Haber, had developed there. Full disclosure: John doesn't work
for or have any financial interest in Surety but is an old college friend
of Stornetta's. John writes:

> [Netback] makes two claims:

> 1. First and only online backup AND registration service.
> 2. First real-time registration service.

> I don't know about the first claim, but I question the second, which is
> the one you quoted. Surety rolled out their digital notary service last
> January. Hard to judge, since NetBack's website has no history page.

Let's ask the InterNIC (you too can do this from any direct-connected Unix
system). FWIW, Surety registered their domain 9 months before Netback did.

  % 3 > whois netback.com             % 4 > whois surety.com
  NetBack, Inc. (NETBACK-DOM)         Surety Technologies, Inc. (SURETY-DOM)
     105 Duane Street Apt. 43G           1 Main Street
     New York, NY 10007                  Chatham, NJ 07928
  ...                                 ...
     Record last updated on 24-Mar-95.   Record last updated on 08-Jun-95.
     Record created on 24-Mar-95.        Record created on 20-Jun-94.

>>apple-internet-authoring mailing list: mail apple-internet-authoring-
> request@solutions.apple.com without subject and with message: subscribe .

• Previous message: Keith Dawson: "TBTF for 1995-11-29: Dissing Java; Netscape 2.0b3; savvy search"