lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <237265190.20040208130153@comcast.net>
From: hggdh at comcast.net (hggdh)
Subject: Apparently the practice was prevalent

Hello Paul,

Sunday, February 8, 2004, 11:18:17 AM, you wrote:

PS> According to this story, some programmers have been up late "fixing" the
PS> inability to use @ in their urls. :-)  Once company is even proposing
PS> reversing the change (by sending their users a registry update) so they can
PS> continue to use the feature.  Makes you wonder how long it will be before a
PS> virus or worm reverses the registry key so it can use that "feature".

I will bite the hook.

I think we have gone off on a tangent on this MS fix -- as far as I
can understand MS blocked it not because it was not in the RFC, but
because it could be used against people.

And, the point here is that it could be used due to OTHER IE
vulnerabilities.

As Valdis said earlier, user:password@...e is a DE FACTO standard. It
goes against the RFC? Well, get over it. Such is life. It has not been
the first time, and it will not be the last one. What defines a
de facto standard is prevalence of use. Nobody can argue that the IE
browser is not prevalent...

Is it a Real Bad Idea? Yes, certainly. Should it be used? No. But,
still, MS implemented it, and promoted it's use. Now, due to their
inability to fix OTHER problems, they took it out. Finally -- from a
security point of view, I am really glad.  But it was still a  (de
facto) standard, still a standard, still a standard.

So obviously there are people out there that will have to scramble to
get their things back working. After all, MS suddenly took it out...
and, also expected, MS would have to provide a backdoor. We can just
hope that a future fix will take it out for once and for all.

..hggdh..


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ