[
Lists Home |
Date Index |
Thread Index
]
On Monday 11 February 2002 01:56 pm, Paul Prescod wrote:
> Gavin Thomas Nicol wrote:
> > > If you do that, you make it extremely difficult to build
> > > intermediaries like:
> > >
> > > * store-and-forward services
> > > * caches
> > > * firewalls
> > > * proxies
> > > * message routers
> > > * privacy managing intermediaries
> >
> > This is not strictly true.
>
> You say that but your message did not provide any evidence.
OK. I'll play the game... you *prove* to *me* that these become
extremely difficult, and then I'll prove that you're wrong...
> > I don't think you can assume that visibility is always a good
> > thing....
>
> Optional visibility is always a good thing. You can turn it off
> easily if you don't want it. SSL is an example of turning it off.
Prove that "optional visibility is always a good thing". Explain to be
why tacking on SSL and authentication mechanisms is better than
controlled disclosure in the first place.... especially for things
like web services.
> So you're saying that HTTP can be fairly easily attacked from a
> security point of view unless you use the security features.
No, I am pointing out that open disclosure and visibility aren't
necessarily good things... indeed, the basic tenet of security is the
principal of "least priviledge", which implies lack of both these
things. SSL was created because HTTP, in and of itself, has very poor
security.
|