lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: s.esser at e-matters.de (Stefan Esser)
Subject: Interesting side effect of the new IE patch

> Amy browser that allows an HTTP URL with an @ sign in it is buggy and should
> be fixed.

Blablabla. Anyone who bought a NTSC tv should give it back, cause it was not
the standard at the time it was introduced.

> HTTP URLs are not RFC compliant if the have the user:password@...t syntax.

Yes and? Any car vendor who builds a phone into the car is also adding a
feature which could compromise the security. Because it the statistic says
that when you phone while driving you more often produce crashs.
And correct me if I am wrong, but I do not see "phone" in the official
definition of a car. So whoever added a phone to his cars first is
obviously a very very bad guy. 

How is the car example different from HTTP URLs. Microsoft added a
feature to the HTTP URLs. This is the way they work. They change standards
into what they like. You may like that or not, but you absolutely CANNOT
say that a browser that implements this feature is buggy. Because it isnt
It just has a feature that is not covered by the standard. 

If humans would only be allowed to perform actions which are
written down in some standard and not "improve" or change the way they act
we would not have any inventions anymore.

You may like it or not. It was maybe braindead or not to add this feature.
BUT you simply cannot call it a bug, because it was implemented into the
browsers on purpose and not by accident (Well maybe with IE as exception)

> Microsoft fixed their bug and you are complaining about a bug and
> vulnerability fix because it removes some exploits.

Where am I complaining about Microsoft fixing the 0x01 vulnerability?

> Microsoft finally did the right thing and fixed their browsers. How long do
> you think it will take for Mozilla and Opera and Safari to change as well?

Yeah, we will see if the world is full of RFC compliant geeks.

> The only thing that should be done for legitimate programmed uses of an
> account and password is to add HTTP headers to the RFC (RFC 2616) to allow
> Username, authentication type and password.
> 
> USERNAME:DumbLuser
> Authentication-type:plainText
> Password:foolish

How would that be different from BasicAuth? And I hope your argument is
not that the password is not transfered in plain text with BasicAuth...

Stefan

-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@...atters.de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ