| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Feb 2004 11:29:35 -0600 From: "McAllister, Andrew" <McAllisterA@...ystem.edu> To: <bugtraq@...urityfocus.com> Subject: RE: MS to stop allowing passwords in URLs (Summary) Here's a summary of the responses I've received. 1) RFC2616 does not define the user:password@...t scheme specifically for HTTP URL's. Though its use has been supported in most if not all popular browsers until now. 2) Other RFC's do define this scheme in general with the caveat that using this syntax can be a security risk (RFC2396). 3) The behavior can be disabled by setting appropriate registry keys (irrelevant to most users). 4) Disabling this syntax will possibly help protect the less technologically savvy from phishing scams. Points well taken. However: * If it was up to me, I would have simply fixed IE so that the full URL is displayed correctly for good or bad. * The phishing scams will continue regardless of this change. The biggest security hole sits between the keyboard and chair. * Using "Remember my password" as a work-around is NOT good security. * Using cookies for authentication is problematic. Many people turn them off and you can't cross domains with them (well you aren't supposed to be able to). In general, most responders (on and off the list) agree that this change will break some apps, but that it is still a good idea. Andy
Powered by blists - more mailing lists