[Javascript] ssi, layers, table alternative to frames

David T. Lovering dlovering at gazos.com
Mon Apr 14 20:22:45 CDT 2003


As an added downside of SSI's -- they are NOTORIOUSLY insecure.  When I first
started honing my teeth on browser exploits for my computer security training,
the very start of the discussion was on the many easy and exciting ways to
crack a system that had SSI's in place and operational.  Although I've forgotten
much of what I learned during that series of CSI seminars, the frightening 
simplicity of the exploits involved still sends shivers up my spine -- particularly
when I hear well-meaning folks relying on those self-same server-side includes
today.  (Sort of the same frisson I get from finding someone enabling anonymous
FTP on a host that doesn't have backwards-path exclusion turned on).

When I look through the latest Apache "Black Book", it still warns against enabling
SSI's except for the simplest of things.  Most military and government systems
have a flat-out edict against SSI's, period -- for precisely that reason.  Next to
buffer-overflow exploits, SSI's are a hacker's (oops! I mean a "cracker's") best
friend.

-- Dave Lovering

P.S: I like frames too, and it took me a long time to learn to say that!

"McCoy, Thomas" wrote:
> 
> I love frames.  Seriously!
> 
> *ducks to avoid flaming*
> 
> I choose frames over SSI on the library's site because our server that
> processed the includes is SLOW...  SSI processing added 3 seconds on each
> page load :(  I might be in the minority (having an ancient server), but I'd
> test the load speed before committing to anything.  The delay wasn't too
> noticeable until we went live... all those page requests made the server go
> chugga-chugga-chugga :(
> 
> 
> Sincerely,
> Thomas McCoy
> www.city.newport-beach.ca.us/nbpl/
> 
> 
> -----Original Message-----
> 
> I'm sure you're already aware of the problems associated with using
> frames...
> _______________________________________________
> Javascript mailing list
> Javascript at LaTech.edu
> https://lists.LaTech.edu/mailman/listinfo/javascript


More information about the Javascript mailing list