Re: TECH: Netscape and security

["Fletcher E. Kittredge" <fkittred@BIDDEFORD.COM>]

>
> >Netscape is free to schools. You did not pay $400 for the software. My
> >guess is that the financial users did pay. So you get what you pay for. I
> >find it a great piece of software for free.
> >
>
> Bill, you and I share the same philosophy--TANSTAAFL!  (There ain't no such
> thing as a free lunch!)  That's why Netscape is a better product than
> others--because it has commercial support.  However, Netscape's basic
> features don't change regardless of whether you pay for it or not--I'm a
> paying customer, btw.  (for a single license I paid $39 for the software
> plus $20 for the manual--not bad.)  Even more interesting, the
> documentation, online or printed, doesn't discuss the security "features"
> we've been discussing--the ease with which email can be spoofed, for
> example.  What's interesting is that Netscape has some excellent security
> features--all directed toward commercial transactions.  Hmmmm?  After all,
> once  I pay for lunch, I like to get what I ordered.  ;-)  ;-)
 
Changing Netscape in the way you suggest would be a big mistake.
 
Any one of dozens of publicly available programs can be used for
easy e-mail spoofing.  For example, the telnet program supplied with any
Internet package or host can be used to forge e-mail.  Just enter the
command:
 
% telnet <hostname> 25
 
This will connnect you to the raw e-mail port of a host.  Just type in
your mail message in raw SMTP format.  You can make up any mail
message and header you want.  Therefore, it is a much better forgery
technique than Netscape.
 
This is a widely known technique and is documented in at least a half
dozen popular books.  We have an unusual policy for a commercial
Internet service provider in that we offer free access to schools,
libraries and other educational institutions and provide discounts to
students and educators.  This means we get lots of students,
especially high school students.  I regularly catch students forging
e-mail with this technique.  Your students know how to forge e-mail
this way, even if you don't.
 
By the way, it is only slightly less convienent, and no more complex,
to spoof IP addresses,
 
There is no way to "fix" this e-mail security issue without breaking
significant features of the Internet.  E-mail is transfered by trust
and a healthy skepticism towards the authorship of *all* e-mail is
necessary.
 
Changing Netscape the way you wish is pointless, since it would still
be very easy to spoof e-mail with other programs. The entire
architecture of Internet e-mail would have to be re-designed to allow
any real security.
 
Further, you would cause useful features to stop working.  We provide
phantom domains to schools so that educators who use our service can
send and recieve e-mail from their school domain without any
investment on the school district's part.  You would break this
feature by not allowing people to change their domain in their "from"
address.
 
Commerical transactions over the Internet is a much easier problem,
since the designer can control both ends of the conversation: reader
and writer.  There is no need for backward compatibility.
 
Please stop trashing the reputation of the Netscape developers.  You
have no evidence to back up your mean spirited accusations.
 
sincerely,
fletcher