[thelist] Netscape 6+ insecure?

Jonathan_A_McPherson at rl.gov Jonathan_A_McPherson at rl.gov
Fri Jun 28 08:57:01 CDT 2002


No, I haven't -- my guess is that your bank
(a) has not even tried NS 6/7, and
(b) does not want to take the time to test their site in yet _another_
browser until its market penetration is significant enough to warrant doing

Most customers don't understand the difference between browser failure and
site failure, so corporate entities (wisely) do a lot of testing on a
browser before they'll admit to supporting it.

BTW, the Mozilla codebase has produced an impressively secure browser; there
has only been one well-known vulnerability that I know about, and it's been
patched since RC2 -- whereas IE has 18 unpatched vulnerabilities right

Jonathan McPherson, LMIT/SD&I
Software Engineer & Web Systems Analyst
email / jonathan_a_mcpherson at rl dot gov

[1] http://www.jscript.dk/unpatched/

-----Original Message-----
From: Chris Kaminski [mailto:chris at setmajer.com]
Sent: Thursday, June 27, 2002 10:29 PM
To: thelist lists.evolt.org
Subject: [thelist] Netscape 6+ insecure?

Yesterday I tried to do some online banking with Mozilla and failed because
CapitalOne redirects Moz to an 'unsupported browser' page claiming Netscape
6+ has 'security issues.' Someone on another list helpfully pointed out that
auto-fill of passwords could not be disabled from the server in early
versions of NS6, and that might be the problem. That doesn't look to be the

I sent them a complaint and they responded in pertinent part:

    We regret any inconvenience you may have experienced
    from our web site not supporting Netscape 6.0 or greater.
    Currently, our website is compatible with only Netscape
    Version 4.76 or Internet Explorer 5.5 or greater because
    other browser versions are not able to consistently encrypt
    and decode the information displayed on the secured pages
    of our website.

Anyone ever hear of such a thing?

Sounds like malarkey to me, as Moz has no trouble with Citi Group's banking
site, nor with PostBank's, nor have we had any trouble with the two SSL
sites we've worked on.

Oh, and this is another reason why some folks still use NN4.x: it's the only
non-MS browser some large sites support. It's partly our own colleagues'
fault that browser is still with us, apparently.


chris.kaminski == ( design | code | analysis )

    Any sufficiently advanced technology is
    indistinguishable from magic.
    ----------------------------------<< Arthur C. Clarke >>

More information about the thelist mailing list