| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne) Subject: Apparently the practice was prevalent [SNIP] > > As Valdis said earlier, user:password@...e is a DE FACTO standard. It > goes against the RFC? Well, get over it. Such is life. It has not been > the first time, and it will not be the last one. What defines a > de facto standard is prevalence of use. Nobody can argue that the IE > browser is not prevalent... > These 'defacto' standards you mention are more often refered to as 'undocumanted features', most referenced with the information that in being undocumented features, that they should be avoided, as they may well prove not to be in the next version upgrade of the application. At best M$ IE and the other broswer vendors should have clearly stated this, some may well have. > Is it a Real Bad Idea? Yes, certainly. Should it be used? No. But, > still, MS implemented it, and promoted it's use. Now, due to their > inability to fix OTHER problems, they took it out. Finally -- from a > security point of view, I am really glad. But it was still a (de > facto) standard, still a standard, still a standard. > > So obviously there are people out there that will have to scramble to > get their things back working. After all, MS suddenly took it out... > and, also expected, MS would have to provide a backdoor. We can just > hope that a future fix will take it out for once and for all. > Whew! at least the content here proves here that this is not another whine about an unsafe practise which florished now being discarded for it's unsafe potentials is a bad thing<TM> for M$ to have finally dealt with. As for whose to blame by all those corp sites that now have to be redone, lazy webadmin/site designers that took an unsafe shortcut with undocumented features that they should have known better then implimenting in the first place. So, so companies might need to ask for refunds for the sites they had designed so poorly by contractors and or employees. And it certainly means alot of web designers are now 'fixing' things off the books with no reimbersment. Bummer, such is life when one heeds not the standards, and attempts a shortcut with security implications. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists