Teen cracks Netscape filter
A young developer posts what he describes as a simple means of bypassing password controls on a new browser filtering feature.
Hours after Netscape Communications debuted the 4.06 version of its browser with a new content filtering mechanism--provided for parents, teachers, and librarians who want to restrict access to "potentially offensive" Web sites--a teenage developer posted what he describes as a simple means of bypassing the filtering feature's password controls.
Netscape's 4.06 version of its Communicator Internet software suite, posted yesterday, includes a content-filtering feature that the company had previously announced would be part of its upcoming 4.5 version of Communicator. Dubbed NetWatch, the feature relies on two Internet ratings standards using the World Wide Web Consortium's Platform for Internet Content Selection (PICS). PICS lets Web sites rate their own content and lets Web browsers read those ratings.
Those who download the 4.06 browser can activate and change the ratings scheme in their preferences using a JavaScript-enabled NetWatch page. The bypass, posted last night, essentially trumps NetWatch by disabling NetWatch under the browser preferences with its own JavaScript-enabled Web page.
Netscape acknowledged the efficacy of the bypass approach, but said users would be unwise to download it because they would be granting an obscure developer high-risk security clearance on their computer.
"Downloading a certificate is a really big thing," said Communicator product manager Edith Gong. "It means you're going to trust anything he's going to send down to you. That's what I would consider a pretty high-risk operation."
Gong pointed out that many libraries and schools prevent software downloads of any kind, confining the bypass' threat to NetWatch to home users.
Communicator's security strategy for downloading JavaScripts follows what is known as a "trust" model, preventing those JavaScripts from carrying out certain operations unless a user specifically grants it permission and accepting a digital certificate authenticating the sender's identity and approving what it proposes to do. Under this model, users are considered likely to accept certificates from known entities such as Netscape, and not accept certificates from unknown entities like Brian Ristuccia, who created the bypass.
Ristuccia, a computer science student at the University of Massachussetts at Lowell and an employee of Bay Networks, said his programming efforts are motivated by free-speech concerns.
"Freedom of speech is something thousands have fought and died for," Ristuccia wrote in an email message. "It would be shameful to see something as simple as a censorware password suspend this inalienable human right."
Gong said Netscape's intention in offering NetWatch was to protect younger children from inappropriate Web content. She acknowledged that determined Web users would be able to find their way around content controls, whether that meant downloading a new browser or finding more technologically sophisticated methods.