lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev Lynx and Wells Fargo


From: David Woolley
Subject: Re: lynx-dev Lynx and Wells Fargo
Date: Wed, 24 Mar 1999 08:45:20 +0000 (GMT)

> I wonder what they might say if asked what their "stringent security
> standards" are?  Perhaps that it would be a security violation to

Basically: 

1) there is no-one to sue;

2) the configuration of Lynx is not well controlled, and the could even
asked for a copy of Lynx on this mailing list (please don't mail the current
requestor one - it encourages bad security habits) and been given one with
a trojan horse;

3) people can operate proxy based solutions insecurely by running the proxy
at the other end of a dial up link.

The official line is probably that acknowledged security experts have
not inspected the code, which is basically tied into (2) above.  This is
the reason given by Verisign for initially not signing keys for Apache-SSL,
and why they now require a disclaimer of responsibility from anyone 
requesting them.

(This is a real concern, particularly for servers, as even Netscape have
created servers which generated easily predicted session keys.)

> disclose them. :-)  Have they validated those browsers they qualify
> by auditing the source code?  They're certainly welcome to audit the
> source of Lynx.

The source of which version of Lynx and which version of SSLeay?
Who pays?

You are probably in breach of contract by using Lynx, and forging 
a big 2 User Agent string, if not actually committing fraud.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]