| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Jan 2009 11:57:51 -0500
From: Valdis.Kletnieks@...edu
To: infolookup@...il.com
Cc: full-disclosure@...ts.grok.org.uk, Tribal MP <tribalmp@...il.com>,
full-disclosure-bounces@...ts.grok.org.uk
Subject: Re: NO-IP service Flaw
On Tue, 27 Jan 2009 00:41:59 GMT, infolookup@...il.com said:
> What if you are sniffing the traffic for any http session the information is
> submitted in clear text.
If you're traffic sniffing, you'll see the data whether it's GET or POST.
The distinction becomes important for things like http proxies and things
that log/remember URLs - it's somewhat bad form to leave a userid/password
sitting right there in the browser 'recent URLS' list or in a logfile someplace.
If you're passing the data in the URL, at best it can be obfuscated and
reversed fairly easily (unless you've got enough Javascript to pop open a
dialog window and use an entered value as a salt for encrypting before
transmission).
Yes, the proper thing to do here is a POST over https.
Personally, I'm surprised that a frikking *domain registrar* is that clueless
about basic security (the *biggest* issue in what would otherwise be a pretty
minor vulnerability).
Or maybe I'm not, actually.. I wonder what *else* they got wrong?
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists