lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: rgerhards at hq.adiscon.com (Rainer Gerhards)
Subject: Interesting side effect of the new IE patch

> From: Stefan Esser [mailto:s.esser@...atters.de] 
> I wonder why so many people are just blind of hatred when the topic is
> Microsoft. 

The topic is NOT Microsoft. It is the violation of a standard with big
security implications. If we just for a short moment could turn our view
over to all those systems that process and log the url? It's "nice" to
see all those userids and passwords in proxy logs, for example.

I agree that RFCs need to be developed. Actually they are. If you don't
like what you see, I invite you to search for the relevant list at
www.ietf.org and throw in your thoughts. If they are carefully crafted
and fairly waighted, you will find them back in a RFC ;)

I think, however, that the current trend in protocol design is not to
loosen security but to tighten it...

> It is not a secret that I dislike Microsoft, but I am not
> blind of hatred like you obviously are. All standard browsers support
> the http://username:password@... . THIS makes it a standard, no matter
> what the bloody RFC writes. The majority of people liked adding
> username:password to the URL, so it was implemented into all browsers
> and became a standard. That the RFC was not updated is not the fault
> of Microsoft. 

Actually, it was. IETF works like this: join the mailing list, make
yourself heard. If nobody accepts your changes, your argument was
obviously bad. Microsoft knows this, they have worked on more than a
single RFC. So, sorry, this actually is Microsofts fault...

> If the community had not accepted this as standard it
> would not be in other browsers (like mozilla), too.

That's actually a good point.... but as it looks, only Mozilla does
this. May it be that they simply tried to follow Microsoft in a
desparate attempt to not loose market share. Actually I have no idea.
Honestly, I don't care. But I am glad we are seeing a trend back towards
standards. 

The Internet has become a dangerous world, so I think it is not
necessary to throw in an extra set of non-standards compliant,
deliberate, insecurity...

Rainer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ