You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1996/09/04 21:17:27 UTC
Re: SUMMARY: How Secure Is The Apache WWW Server (fwd)
not acked.
[I'm catching up on bugs mail after 4 days of downtime with a busted
monitor :-( ]
----- Forwarded message from Reid Judd -----
Message-Id: <96...@internet-gw2.HEA.COM>
Date: Mon, 02 Sep 96 12:17:12 -0700
Sender: reidjudd@aaart.com
From: Reid Judd <we...@aaart.com>
Organization: AAArt
X-Mailer: Mozilla 1.1N (X11; I; SunOS 4.1.3 sun4m)
Mime-Version: 1.0
To: webmaster@aaart.com, apache-bugs@mail.apache.org
Subject: Re: SUMMARY: How Secure Is The Apache WWW Server
References: <32...@lheamail.gsfc.nasa.gov> <50...@internet-gw2.hea.com>
X-Url: news:50f73l$leh@internet-gw2.hea.com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
These messages appeared on the newsgroups:
comp.security.unix,comp.security.misc.
My quick question: is there something that I can do to
make NetScapes message go away? (other than telling the
users to turn it off in the preferences).
thanks in advance.
Reid Judd
webmaster@aaart.com
Reid Judd <we...@aaart.com> wrote:
>According to the www-security-faq:
>
> Q55: How do I turn off the "You are submitting the contents
> of a form insecurely" message in Netscape? Should I worry
> about it?
>
> This message indicates that the contents of a form that
> you're submitting to a CGI script is not encrypted and
> could be intercepted. Right now you'll get this message
> whenever you submit a form to any non-Netscape
> server, since only the Netsite Commerce Server can
> handle encrypted forms. You probably shouldn't send
> sensitive information such as credit card numbers
> via unencrypted forms . . .
>
> Does the Apache server handle encrypted forms now? Or is the
> security only one-way from server to browser. Does NetScape have
> a monopoly on secure transations? I've just implemented
> a secure form to take credit card info on an Apache server
> and the message the NetScape browsers return is frightening
> off any potential customers for my client.
>
>-- Reid Judd
>
> AAArt
> 1414 Donohue Dr.
> San Jose, CA 95131
> (408) 937-1824 voice/FAX
>
> http://www.aaart.com
> webmaster@aaart.com
>
>Steve Remsing <sr...@lheamail.gsfc.nasa.gov> wrote:
>>This is a summary of the information I received regarding the security
>>of the Apache WWW Server.
>>
>>Out of six replies four people said they felt it was secure, provided
>>you don't install the sample cgi-bin programs that come with it. Yes,
>>they have been fixed supposedly, but why take that chance. Reasons
>>people felt Apache is secure are: very widely used, source code freely
>>available for review, and it actively being developed. One person
>>said it was not secure (sorry I don't have details) and suggested using
>>Stronghold.
>>
>>In case any one out there is not aware, there is a good FAQ regarding
>>WWW security at:
>>
>>http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
>>
>>I'd like to thank the following people for taking the time to provide
>>some information:
>>
>>Peter Mardahl <pe...@langmuir.EECS.Berkeley.EDU>
>>Elliot Lee <so...@dilbert.redhat.com>
>>Tony <to...@comp1.demon.co.uk>
>>ghynes@compusult.nf.ca (Gerard Hynes)
>>awm@qosina.com
>>David Rudder <dr...@drig.magicweb.com>
>>"John D. Mitchell" <jo...@mitchell.org>
>>
>>Steve
>>--
>
----- End of forwarded message from Reid Judd -----
--
Rob Hartill (robh@imdb.com)
http://www.imdb.com/ ... why wait for a clear night to see the stars?.