lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 06 Feb 2004 17:01:20 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: MS to stop allowing passwords in URLs


"Dave Warren" <dave.warren@...ilsplayground.net> wrote:

<<big snip>>
> It's probably too late, but rather then removing user:password support
> altogether, maybe Microsoft could replace it with a dialog that informs the
> user they are about to visit "session-arhuz.ru" with the username
> "www.herbank.com", and an appropriate warning about not revealing sensitive
> information, blahblahblah?

Yeah, just like the "The doument you are opening contains macros or 
customizations.  Some macros may contain viruses that could harm your 
computer.  [...]" warnings prevented Word macro viruses...

A user naïve enough to click on such a link does, in some important 
sense, _want_ to visit that page.  Your suggested warning is just 
another thing that such users see as "getting in the way of doing what 
I want to do".  Therefore, if implemented it would become more part of 
the problem than the solution (as users will become ever more familiar 
with ignoring "warnings" and clicking through them).  If you understand 
users, you will know that in helping them to not shoot themselves in 
the feet, the only useful appraoch is to remove everything capable of 
firing the bullets (and quite a few things beside!)...

On the Word macro virus front, things got notably better _NOT_ when MS 
implemented the above warning (that the users could blithely ignore and 
even _disable_ right there on the warning dialog -- what a travesty of 
mis-design that was!) but when it released a version of Word that 
defaulted to not running macros unless they were signed with an 
acceptable (as configured by the user/admin) key (there are legion 
flaws in the design of this feature, but it was strong enough to 
significantly impact the Word macro virus problem).  In IE, removing 
support for this mis-feature (read RFC 2616) will have a much greater 
impact than trying to "direct" users who don't want to be directed with 
"warnings" and other stuff that "gets in their way".


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ