httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject Re: SUMMARY: How Secure Is The Apache WWW Server (fwd)
Date Wed, 04 Sep 1996 19:17:27 GMT

not acked.

[I'm catching up on bugs mail after 4 days of downtime with a busted
monitor :-( ]

----- Forwarded message from Reid Judd -----

Message-Id: <9609021918.AA22155@internet-gw2.HEA.COM>
Date: Mon, 02 Sep 96 12:17:12 -0700
Sender: reidjudd@aaart.com
From: Reid Judd <webmaster@aaart.com>
Organization: AAArt
X-Mailer: Mozilla 1.1N (X11; I; SunOS 4.1.3 sun4m)
Mime-Version: 1.0
To: webmaster@aaart.com, apache-bugs@mail.apache.org
Subject: Re: SUMMARY: How Secure Is The Apache WWW Server
References: <3225EC3D.794BDF32@lheamail.gsfc.nasa.gov> <50f73l$leh@internet-gw2.hea.com>
X-Url: news:50f73l$leh@internet-gw2.hea.com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii

These messages appeared on the newsgroups:
  comp.security.unix,comp.security.misc.

  My quick question: is there something that I can do to 
  make NetScapes message go away?  (other than telling the
  users to turn it off in the preferences).

thanks in advance.
Reid Judd
webmaster@aaart.com


Reid Judd <webmaster@aaart.com> wrote:
>According to the www-security-faq:
> 
>	Q55: How do I turn off the "You are submitting the contents
>	of a form insecurely" message in Netscape? Should I worry
>	about it?
>
>	This message indicates that the contents of a form that 
>	you're submitting to a CGI script is not encrypted and
>	could be intercepted. Right now you'll get this message 
>	whenever you submit a form to any non-Netscape
>	server, since only the Netsite Commerce Server can 
>	handle encrypted forms. You probably shouldn't send
>	sensitive information such as credit card numbers 
>	via unencrypted forms . . .
>
>  Does the Apache server handle encrypted forms now?  Or is the
>  security only one-way from server to browser. Does NetScape have
>  a monopoly on secure transations?   I've just implemented
>  a secure form to take credit card info on an Apache server 
>  and the message the NetScape browsers return is frightening 
>  off any potential customers for my client.
>
>-- Reid Judd
>
>	AAArt
>	1414 Donohue Dr.
>	San Jose, CA 95131
>	(408) 937-1824 voice/FAX
>
>	http://www.aaart.com 
>	webmaster@aaart.com 
>
>Steve Remsing <srr@lheamail.gsfc.nasa.gov> wrote:
>>This is a summary of the information I received regarding the security
>>of the Apache WWW Server.
>>
>>Out of six replies four people said they felt it was secure, provided
>>you don't install the sample cgi-bin programs that come with it.  Yes,
>>they have been fixed supposedly, but why take that chance.  Reasons
>>people felt Apache is secure are: very widely used, source code freely
>>available for review, and it actively being developed.  One person
>>said it was not secure (sorry I don't have details) and suggested using
>>Stronghold.
>>
>>In case any one out there is not aware, there is a good FAQ regarding
>>WWW security at:
>>
>>http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
>>
>>I'd like to thank the following people for taking the time to provide
>>some information:
>>
>>Peter Mardahl <peterm@langmuir.EECS.Berkeley.EDU>
>>Elliot Lee <sopwith@dilbert.redhat.com>
>>Tony <tony@comp1.demon.co.uk>
>>ghynes@compusult.nf.ca (Gerard Hynes)
>>awm@qosina.com
>>David Rudder <drig@drig.magicweb.com>
>>"John D. Mitchell" <johnm@mitchell.org>
>>
>>Steve
>>--
>


----- End of forwarded message from Reid Judd -----

-- 
Rob Hartill (robh@imdb.com)    
http://www.imdb.com/  ... why wait for a clear night to see the stars?.

Mime
View raw message