Re: LYNX-DEV Re: ...vulnerability in Lynx...

[Larry W. Virden, x2487]

From: Jonathan Sergent <address@hidden>
> In message <address@hidden>, Scott McGee (Personal) writes:
>  ] Come on now! Lynx isn't some DOD hyper sensitive program with top secret
>  ] data that should only be run in a ultra secure environment, it is a web
>  ] browser. It should attempt to run in any environment it is asked to. If the
>  ] system Lynx is run or compiled on is noticably insecure, then _AT MOST_ it
>  ] should issue a polite, ignorable notice, and then continue to run.
> 
> ... 
> 
> The issue here is that it's fairly trivial for a malicious user to make
> Lynx overwrite another users' files.  There are ways of fixing Lynx so 
> that it will work on a poorly set up system without causing security 
> problems.

I'll go even further.  If lynx isn't going to be secure, then it needs
to advertise the fact.  At that point, it will no longer be used by
ISPs, who _need_ lynx to be "some DOD hyper sensitive program with top
secret data", or at least to be able to be secured to protect everyone's
data on the machine.

Folks are doing _business_ on these systems.  If Lynx can be used to
compromise someone's account, then they may lose money - or information
someone else would prefer to keep private (medical bills, credit information,
etc.).
-- 
Larry W. Virden                 INET: address@hidden
<URL:http://www.teraform.com/%7Elvirden/> <*> O- "We are all Kosh."
Unless explicitly stated to the contrary, nothing in this posting should 
be construed as representing my employer's opinions.
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;