Forwarded From: darek milewski <darekm@cmeasures.com>
Teen cracks Netscape browser filter
By Paul Festa
Staff Writer, CNET NEWS.COM
August 18, 1998, 1:35 p.m. PT
URL: http://www.news.com/News/Item/0,4,25403,00.html
Score one for young free speech advocates in their high-tech battle
against protective parents.
Hours after Netscape Communications debuted the 4.06 version of its
browser with a new content filtering mechanism--provided for parents,
teachers, and librarians who want to restrict access to "potentially
offensive" Web sites--a teen-age developer posted what he describes as a
simple means of bypassing the filtering feature's password controls.
Netscape's 4.06 version of its Communicator Internet software suite,
posted yesterday, includes a content-filtering feature that the company
had previously announced would be part of its upcoming 4.5 version of
Communicator. Dubbed NetWatch, the feature relies on two Internet ratings
standards using the World Wide Web Consortium's Platform for Internet
Content Selection (PICS). PICS lets Web sites rate their own content and
lets Web browsers read those ratings.
Those who download the 4.06 browser can activate and change the ratings
scheme in their preferences using a JavaScript-enabled NetWatch page. The
bypass, posted last night, essentially trumps NetWatch by disabling
NetWatch under the browser preferences with its own JavaScript-enabled Web
page.
Netscape acknowledged the efficacy of the bypass approach, but said users
would be unwise to download it because they would be granting an obscure
developer high-risk security clearance on their computer.
"Downloading a certificate is a really big thing," said Communicator
product manager Edith Gong. "It means you're going to trust anything he's
going to send down to you. That's what I would consider a pretty high-risk
operation."
Gong pointed out that many libraries and schools prevent software
downloads of any kind, confining the bypass' threat to NetWatch to home
users.
Communicator's security strategy for downloading JavaScripts follows what
is known as a "trust" model, preventing those JavaScripts from carrying
out certain operations unless a user specifically grants it permission and
accepting a digital certificate authenticating the sender's identity and
approving what it proposes to do. Under this model, users are considered
likely to accept certificates from known entities such as Netscape, and
not accept certificates from unknown entities like Brian Ristuccia, who
created the bypass.
Ristuccia, a computer science student at the University of Massachussetts
at Lowell and an employee of Bay Networks, said his programming efforts
are motivated by free-speech concerns.
"Freedom of speech is something thousands have fought and died for,"
Ristuccia wrote in an email message. "It would be shameful to see
something as simple as a censorware password suspend this inalienable
human right."
Gong said Netscape's intention in offering NetWatch was to protect younger
children from inappropriate Web content. She acknowledged that determined
Web users would be able to find their way around content controls, whether
that meant downloading a new browser or finding more technologically
sophisticated methods. --
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Wed Aug 19 09:41:24 1998