From blizzard@odin.nyser.net  Tue Aug 13 03:37:46 1996
Received: from odin.nyser.net (odin.nyser.net [204.168.18.21]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id DAA28034 for <best-of-security@suburbia.net>; Tue, 13 Aug 1996 03:37:22 +1000
Received: from odin.nyser.net (localhost [127.0.0.1]) by odin.nyser.net (8.7.5/8.7.5) with ESMTP id NAA08382; Mon, 12 Aug 1996 13:36:11 -0400
Message-Id: <199608121736.NAA08382@odin.nyser.net>
To: Dave Dillow <il1@dsroc6.dsdoe.ornl.gov>
cc: best-of-security@suburbia.net
Subject: Re: BoS: Re: Security aspects of Microsoft FrontPage server extensions? 
In-reply-to: Your message of "Thu, 08 Aug 1996 17:16:13 EDT."
             <199608082116.RAA20805@dsroc6.dsdoe.ornl.gov> 
Date: Mon, 12 Aug 1996 13:36:11 -0400
From: Christopher Blizzard <blizzard@odin.nyser.net>

In message <199608082116.RAA20805@dsroc6.dsdoe.ornl.gov>, Dave Dillow writes:
:
:----- Begin Included Message -----
:
:3. By default, files uploaded via FrontPage are apparently
:world-writable.  I can probably fix that with a wrapper or something
:around Apache's startup to change the umask, but it's annoying.
:
:4. The "tar" file the extensions come in will extract all the
:executables, their directories, etc. world-writable.
:
:5. FrontPage transfers data using the content type
:"application/x-vermeer-encoding" (or something like that).  A MS FP
:tech support guy mentioned something in passing that that data is
:encrypted "pretty strongly".  Though I haven't been listening much, I
:haven't heard if MS has published the algorithm used.  Sounds like
:encryption via obfuscation, but I could be wrong.
:

	I remember reading somewhere that the encryption was only stong 
enough to discourage casual sniffing.  I also wrote something about my 
experiences with FP and our servers.  Check out:

http://odin.nyser.net/~blizzard/doc/front_page.html

--Chris

-------------------------------------------------------------------
Christopher Blizzard   | "The truth knocks on the door and you say
blizzard@nysernet.org  | 'Go away.  I'm looking for the truth,' and
NYSERNet, Inc.         | so it goes away."  --Robert Pirsig
-------------------------------------------------------------------