lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: dufresne at (Ron DuFresne)
Subject: Apparently the practice was prevalent


> As Valdis said earlier, user:password@...e is a DE FACTO standard. It
> goes against the RFC? Well, get over it. Such is life. It has not been
> the first time, and it will not be the last one. What defines a
> de facto standard is prevalence of use. Nobody can argue that the IE
> browser is not prevalent...

These 'defacto' standards you mention are more often refered to as
'undocumanted features', most referenced with the information that in
being undocumented features, that they should be avoided, as they may well
prove not to be in the next version upgrade of the application.  At best
M$ IE and the other broswer vendors should have clearly stated this, some
may well have.

> Is it a Real Bad Idea? Yes, certainly. Should it be used? No. But,
> still, MS implemented it, and promoted it's use. Now, due to their
> inability to fix OTHER problems, they took it out. Finally -- from a
> security point of view, I am really glad.  But it was still a  (de
> facto) standard, still a standard, still a standard.
> So obviously there are people out there that will have to scramble to
> get their things back working. After all, MS suddenly took it out...
> and, also expected, MS would have to provide a backdoor. We can just
> hope that a future fix will take it out for once and for all.

Whew!  at least the content here proves here that this is not another
whine about an unsafe practise which florished now being discarded for
it's unsafe potentials is a bad thing<TM> for M$ to have finally dealt

As for whose to blame by all those corp sites that now have to be redone,
lazy webadmin/site designers that took an unsafe shortcut with
undocumented features that they should have known better then implimenting
in the first place.  So, so companies might need to ask for refunds for
the sites they had designed so poorly by contractors and or employees.
And it certainly means alot of web designers are now 'fixing' things off
the books with no reimbersment.  Bummer, such is life when one heeds not
the standards, and attempts a shortcut with security implications.


Ron DuFresne
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Powered by blists - more mailing lists