lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1076271639.6185.15.camel@Star.BerthoudWireless.net>
From: security at 303underground.com (Scott Taylor)
Subject: Apparently the practice was prevalent

Wouldn't it make sense to accept user@...s, but NOT DISPLAY IT on the
address bar? so even if someone clicks on a shady link, they don't see
http://www.visa.com@...oks.com, they only see http://crooks.com on their
address bar? And with all those miserable encoded characters translated
back to plaintext too. Yeah I know. silly idea. Just too bloody obvious
I guess.

On Sun, 2004-02-08 at 12:36, Luke Norman wrote:
> I'm afraid I disagree. Surely its better to disable by default, but 
> leave it so that it can be turned on if necessary. People argue that 
> windows needs to be shipped with services turned off, but not removed 
> completely - a virus could turn these services on, but that isn't 
> sufficient cause for removing them. It's a user preference, and if I 
> want to be able to enter urls in user:pass@...t format, then I should be 
> given the option to do so
> 
> Luke
--
Scott Taylor - <security@...underground.com> 

BOFH Excuse #429:

Temporal anomaly

    


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ