The Technofile Web site has moved.


Technofile is now located at http://twcny.rr.com/technofile/
Please update your links, bookmarks and Favorites.  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
 

Major security problem in Web browsers
technofile  by al fasoldt
Columns and commentaries in a life-long dance with technology 
Simple gray rule

Major security problem in Web browsers
 

Bit Player for April 6, 1997

By Al Fasoldt

Copyright © 1997, Al Fasoldt
Copyright © 1997, The Syracuse Newspapers

The scare over Web browser security took a sinister turn late last month. Both Microsoft and Netscape admitted that their Web browsing software is able to pass your credit-card number to another computer without your permission.

This dangerous flaw in the way modern Web browsers work is not related to the previously known security bugs in browsers. Microsoft and Netscape, which make most of the browsers for PCs and Macintosh computers, quickly posted fixes for those bugs.

But latest flaw cannot be fixed easily, and nothing is likely to be done for months. A representative of Microsoft, Jerry Dale, says his company may not be able to fix the flaw until summer. Eric Greenberg, a security official at Netscape, says his company does not know when the problem can be solved.

Web browsers are programs that retrieve documents and images on remote computers over the Internet's World Wide Web. Hundreds of millions of Web browsers are used worldwide.

The flaw shows up when users are doing business at Web-based stores and services. Typically, the user types a credit-card number and other personal information onto a form when connected to the remote Web site, and the information is encrypted to keep it private. That part of the transaction works as claimed.

But if the user then clicks on a link to another site from the same page, all security measures are turned off. The information that was sent to the first site is written to log on the second site's computer, where it can be seen by anyone. The log entry is in plain English, even if the original information was encoded at the first site.

According to Interactive Week Online, Pittsburgh computer consultant Daniel Klein discovered the flaw last month.

"The place people will crack it is not the places people worry about security but the ones they don't," Klein told the news service. "This is a big hole."

Interactive Week Online said none of the security experts it contacted knew about the flaw before Klein's discovery.

Until the flaw is fixed within the browser software, the only sure method of keeping personal information private is to avoid all links to other pages on the Web after you have entered private data on a secure Web site. Here are simple instructions on how to do this:

    • Create a local Web page on your computer's hard disk. Do this by opening a simple Web page at a remote site, then opening the File menu in your browser and choosing Save As File. (Some browsers may have different wording in the menu. Choose the item that does a "Save As" function.)
    • Save the page as an HTML or HTM document somewhere on your hard drive.
    • Create a bookmark or a favorite for that page. Go to that local page using your bookmarks or favorites menu each time you have finished entering personal information at a secure Web site. Then resume your Web browsing the normal way.

The page you use for the local safe-haven page should be as uncomplicated as possible. You can open a Web page I've created for just this purpose at http://www.dreamscape.com/afasoldt/safe-haven.html.


 Image courtesy of Adobe Systems Inc.technofile: [Articles] [Home page] [Comments: afasoldt@dreamscape.com]