Re: LYNX-DEV more about wells fargo, schwab

[Mark Mentovai]

On Thu, 12 Mar 1998, Scott McGee wrote:

> And you seem to miss my point that the publicly availible Netscape code
> _WILL HAVE NO SSL AT ALL_ and so binaries built from it will _not do SSL_!
> Only binaries distributed by Netscape, with the SSL added back in, or home
> hacked dirivitive works will have SSL, so Wells Fargo is likely to stay 
> happy with things as they are. If you hack SSL into Netscape's code, and
> call it Netscape, you are in the same boat as someone who forges Netscape's
> identifier in Lynx, not WF's concern. Only binaries from Netscape will have
> Netscape's SSL, and so will be as safe as they are (or are not) now.

I know I shouldn't be prolonging this any more than I already have, but
here goes...

If you're a financial institution allowing customers to make transactions
online, and you're basing your opinion of whether or not someone's browser
is trustable or not on its User-Agent string, then you're making a very
stupid decision.  I'm not sure how something as intangible and easily
modifiable as a User-Agent string would hold up in court or anything like
that, but from the standpoint of someone accepting HTTPS connections, this
just seems to be a very stupid decision to make.  There's no guarantee of
the truthfulness of the User-Agent string, and even if there were, there
are a zillion ways that an allegedly "trusted" browser could be less
secure than one they call "untrusted" - compare Lynx used on a PC or Mac
running Linux to Netscape on a multiuser Unix system.

In addition, only binaries from Netscape will have Netscape's SSL, but
Netscapes compiled with alternative SSL patches will not have Netscape's
SSL, but may still identify themselves and function exactly the same as
Netscape's binaries.

In short, if it walks like a Mozilla and talks like a Mozilla, it may not
be a Mozilla, and it's time that the world woke up and realized that.

-Mox

--
Mark Mentovai
address@hidden
http://www.moxienet.com/