Vulnerability Development mailing list archives
Re: Remembering Passwords in IE
From: dom () DEVITTO COM (Dom De Vitto)
Date: Tue, 4 Apr 2000 19:37:21 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Unfortunately https doesn't help any either, because IE doesn't rigourously enforce that a site and it's certifcate match. Netscape at least prompts your, but gives you a checkbox for "don't ask this again"....doh! Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd mailto:dom () devitto com Mob. 07971 589 201 http://www.devitto.com Tel. 01202 738 767 PGP: http://www.devitto.com/pgpkey.asc Fax. 08700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Bluefish Sent: Sunday, April 02, 2000 9:08 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Remembering Passwords in IE Mikeal, we are discussing two different topics. Agreed, the best fix is to simply chose not to use password remembering, but what actually was discussed was (if I understood the thread correctly) that http://www.test.com/~foo http://www.test.com/~bar will 'remember' the same password if authName is the same. Actually, it is worse, if you send password to ~foo, it will be sent automaticly to ~bar as soon as you try to access them. My mail was adressing that issue and discussed it. What I ment couldn't be fixed on clientside was to determin weather ~bar actually has the same webmaster as ~foo as long as the httpd allowed the webmasters to set up the same authName.
*ahem* You're completely forgetting about sniffing passwords off the wire and DNS poisoning. This should be fixed in the browser, and the correct fix is to nuke all password caching.
That is *far* from a fix. If you assume that attacker is poisoning your DNS (or doing DNS hijacking or whatever), it seems fairly reasonable the attacker also has the means to wget your site and mirror it on the fraudalent system. Alas, the user will enter the password even if IE doesn't remember it. If you intend to protect your system against that kind of attacks, the use authentication and encryption (https) should be a minimum. And the same goes for protection against sniffing.
If there's a feature that makes life easier for Joe User, he will use it, with no concern for security simply because he didn't know there was a concern in the first place.
Agreed. I'm not saying password caching is good, it's quite bad (especially if you cannot provide 24h/d supervisorisation of your workstation). That was pointed out when IE was released, but apperently the market demand for the function was so big that MS chosed to ignore the need to remove the option. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> Comment: Public key available from certserver.pgp.com iQA/AwUBOOo2YH8ZJe4Z69ciEQL76ACgzAOVD9sCJFAyj0XB1YegsSkXi10AoLXL YnXi/rrBaiRXXC28CVfZ4qYW =4/1f -----END PGP SIGNATURE----- <HR NOSHADE> <UL> <LI>text/x-vcard attachment: Domenico_De_Vitto.vcf </UL>
Current thread:
- Re: Remembering Passwords in IE Mikael Olsson (Apr 01)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
- Re: Remembering Passwords in IE Mikael Olsson (Apr 02)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 04)
- Re: Remembering Passwords in IE Bluefish (Apr 05)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 05)
- Re: Remembering Passwords in IE Scott Renfro (Apr 06)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
- <Possible follow-ups>
- Re: Remembering Passwords in IE Hal Lockhart (Apr 07)
- Re: Remembering Passwords in IE Scott Renfro (Apr 07)
- Re: Remembering Passwords in IE Matthew S. Hallacy (Apr 07)
- Re: Remembering Passwords in IE Bob (Apr 08)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 10)
- Re: Remembering Passwords in IE Bluefish (Apr 11)