Archive of UserLand's first discussion group, started October 5, 1998.

Re: New Third Voice version out

Author:Jeremy Bowers
Posted:9/15/1999; 6:20:45 PM
Topic:New Third Voice version out
Msg #:11105 (In response to 11092)
Prev/Next:11104 / 11106

To summarize, politically: you, Jeremy, believe that the webmaster has the right to prevent his/her readers--any and/or all of them--from allowing any or all third parties to offer their comments on the webmaster's site. Would you say this is a fair and accurate representation of your belief? If not, how would you amend my description of your belief?

No. I believe that the webmaster has the right to prevent his/her readers from offering their comments in direct and total connection with the site itself.

Comment on the Usenet.... heck, create a service where you type in a major site (URL turns out to be silly when you think about it) and enter a discussion board... but leave it off my site.

As for security issues, there have been two major flaws already reported. One allowed arbitrary scripts to be embedded in these messages... as those notes are in the same context as the page, they could play all sort of games. My favorite is to redirect all forms on a page to submit to your server, then pass through to the original server; you can use that to redirect all information you ever submit on a given page to your own server, so you can collect credit cards and passwords. The passwords one happened, on Hotmail and a few others.

Then there was the issue where they were allowing anyone to connect to the proxy server and use it, not just the local machine... fixed, in theory, but I don't trust them right now (the hole was soooo simple). In that case, one could make it look as if some web activity was occuring from somebody else's machine, and it would be very difficult to trace.

What with all the other services of this kind coming out, and, since this is legal, all the other services we can't even imagine, I would be concerned about the integrity of any secure services I offer, if anybody can just walk in and modify it, user invited or no. How can I guarentee security if it's not just me and the user communicating? (I use guarentee in the product guarentee sense; not that "I am certain this will never fail", but "If this fails, here is how I will recompense you: Return your product for a full refund etc.")

As for the scenario where someone not using the service could be affected, let me take the real password stealing occurance, but, instead of stealing Hotmail passwords, somebody steals your local Payroll Department's passwords and drop your salary by 5%. You never used Third Voice, but somebody else screwed up.

Now, regarding your security issues. The most secure connection is the simplest (all else being equal), with the best defense possible on that simple connection. Ideally, then, we want to directly connect through as few servers as possible. In order to do this, we need to knock out every third party we can from the secure connection. Yes, this includes Net Nanny and all the rest. However, I submit, in general, that the addition of content is significantly more dangerous then the removal of it. (Obviously, counter-examples can be constructed, but I speak in general.) It is hard to imagine Net Nanny blocking something to be a security violation, or the addition of bookmarks on your personal system to be a violation, but when the data propogates to systems around the world, a new realm of security issues emerge.

Even should Third Voice be secure, Utok may not, Esgear may not, and the Unknown Site "Morphing" Released In 2001 service may not. I want to be able to speak directly to my user without inturrutption/interception... for both our good.


There are responses to this message:


This page was archived on 6/13/2001; 4:52:39 PM.

© Copyright 1998-2001 UserLand Software, Inc.