lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Apparently the practice was prevalent

Scott Taylor <security@...underground.com> wrote:

> Wouldn't it make sense to accept user@...s, but NOT DISPLAY IT on the
> address bar? so even if someone clicks on a shady link, they don't see
> http://www.visa.com@...oks.com, they only see http://crooks.com on their
> address bar? And with all those miserable encoded characters translated
> back to plaintext too. Yeah I know. silly idea. Just too bloody obvious
> I guess.

Let's see...

First, you are proposing that IE have a non-standards compliant 
behaviour re-instated?  That is bad for several reasons already 
discussed.

Second, you are suggesting that IE should hide the fact that there is 
some kind of authentication involved.  That is really stupid as it is a 
sure bet that many clue-deprived web developers (you can read comments 
from some of them in Lemos' article to get an idea of the level of lack 
of care for security they _already_ have) will then see the mechanism 
as _more secure_ "because the user credentials are not displayed". 
These are a similar kind of moron to those web designers who think 
disabling left-click with JavaScript and using those trivial client-
side runtime "decryption" scripts make their web page design tricks 
and/or script code "invisible" to others.

Third, I agree it would be a good idea if all encoded characters that 
can be rendered in the browser's address or status bar as "displayable" 
characters should be rendered thus, rather than left encoded.  AFAIR, 
is how Mozilla, and I think Opera, already handles such situations.


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ