lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040206182818.GA3059@php.net>
From: s.esser at e-matters.de (Stefan Esser)
Subject: Interesting side effect of the new IE patch

Hi again,

On Fri, Feb 06, 2004 at 05:01:21PM +1300, Nick FitzGerald wrote:
> Hmmmmm, a security researcher employed by a web development company 
> advocating the use of non-standards compliant features that have 
> obvious security concerns...

Ohh yeah. As if a part time job has anything todo with my opinion.

And I havent advocated non standard compliant features. I just said,
that people using it, people implementing it into their browser
make it a standard, no matter what your opinion is, or what the
RFC writes.

Again NTSC was explicitly not the standard for color television, but
the inventor did not give up after his first try failed and simply
worked against the standard and so NTSC became the standard, no matter
that the other system was better or not.
(Ohh yeah we should really get rid of NTSC, luckily I líve in PAL land)

You may like it or not, HTTP URLs with username:password became a
standard with IE 3.0  You should have raised your voice years ago against
it but you have not. Now it is a widely used feature and it is more
than arrogant to say that people who use it are dumb because they use
something that is everywhere supported but is forbidden by some RFC

Security concerns:

a) people write passwords into their URLs  (valid point)
   (but if they cannot write it into URLs they will store it into
   IE password remembering function or attach some notes to their
   monitor, so removing this feature has NOT improved security)

b) people are too dumb to recognise that this is not part of the
   real URL. (This is NOT a valid point because then we have to
   remove the possibility to send files attached to emails, 
   because people are dumb enough to open virus executables)
   
   Well according to your logic, people should learn about IE first
   and if they are to dumb to know that this is not part of the
   real URL they deserve to loose money. Which is exactly your
   argumentation against people who violated the law which you
   see defined in RFCs


> How odd!

Yes how odd.

Stefan

-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@...atters.de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ