lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 2 Feb 2004 21:01:45 -0700
From: "Dave Warren" <dave.warren@...ilsplayground.net>
To: "McAllister, Andrew" <McAllisterA@...ystem.edu>,
	<bugtraq@...urityfocus.com>
Subject: Re: MS to stop allowing passwords in URLs


McAllister, Andrew wrote:
> I certainly don't consider the "remember my password" functionality
> nor stored cookies any more or less safe than this syntax.
>
> Anyone have any comments regarding legitimate uses of this syntax and
> Microsoft removing it from their browser? (and presumably the OS since
> the browser IS the OS).

The safety concerns of http://user:pass@www aren't technical, they're
user/training issues..  How do you explain to your grandmother that
http://www.herbank.com:login.asp@...sion-arhuz.ru/ isn't safe but
http://www.herbank.com/login.asp?arhuz.ru/ is okay?

The solution, in my opinion, would be to come up with a new notation that
doesn't break existing RFCs, but that still places the hostname first.

Something like http://www#user:password/path/file.cgi would be safer for the
common user, all they'd have to look at would be the first thing they see
after the http:// to determine if it is trusted.  Unfortunately, the next
step will be http://www.herbank.com.naughty-phish-scheme.com/ where
naughty-phish-scheme is something less suspicious.  Then we'll be right back
to where we started, and we'd still have broken or lost valuable
functionality.

It's probably too late, but rather then removing user:password support
altogether, maybe Microsoft could replace it with a dialog that informs the
user they are about to visit "session-arhuz.ru" with the username
"www.herbank.com", and an appropriate warning about not revealing sensitive
information, blahblahblah?

-- 
Dave Warren,
 Email Address:  dave.warren@...ilsplayground.net
 Cell: (403) 371-3470         Fax: (403) 371-3471
 Toll free: (888) 371-3470 Vonage: (817) 886-0860
 ICQ: 17848192  AIM: devilspgd  Yahoo!: devilspgd
 MSN/PASSPORT:   dave.warren@...ilsplayground.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ