Re: Authorize.net calls passwords in clear text as part of url

[Kee Hinckley <nazgul () SOMEWHERE COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 2:34 PM -0400 8/2/00, John Hennessy wrote:
> After some looking around I found that Netscape's netscape.hst file could
> be searched
> for "minterface.dll" with a text editor. It also contains the login and
> password in clear text.

Passwords in the the clear are a bad, bad idea.   In a URL is worse.
A POST instead of a GET would be okay, given that this is an HTTPS
connection.  It would take it out of the history file.  It would also
avoid the REFERER problem (where after going to that site with the
password in the URL, you type in a new URL and go there--at times
that will result in entering the login and password into the new
site's logs as being the Referrering site).  And of course it would
take care of anyone who was packet sniffing.

I would apply more pressure on them to fix this.
- --

Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects
Now playing:  http://www.somewhere.com/playlist.cgi

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOYnNsCZsPfdw+r2CEQIMOQCgrKe/fEgjyVs/4pfxyVvD2AoQbz4AoILR
c4Nc7vsbZGnfLyGcX99j7idd
=iSOZ
-----END PGP SIGNATURE-----