Bugtraq mailing list archives
Re: Intacct.com: Multiple bugs at financial services company
From: Rob Mayoff <mayoff () DQD COM>
Date: Wed, 6 Sep 2000 13:43:12 -0500
+---------- On Sep 6, Chris L. Mason said: | If you use a form-based system to allow logins, what's to stop someone from | writing a new browser, or modifying an existing one (or using a plug-in, | or proxy) to automatically re-submit the form every 5 minutes so that the | user doesn't have to login manually? Nothing will stop you from doing so. But that is completely irrelevant. We're not talking about preventing you from writing a client that misbehaves. We're talking about preventing malicious web sites from mounting attacks on other web sites via the client. So we only care about the behavior of clients people actually USE, starting with the most popular clients. You own custom browser is irrelevant because only you use it, and you've purposely made it less secure. The goal is to protect the vast, naive majority from cross-site scripting. HTTP authentication makes that difficult, because there's no way to tell the client to time out or forget the authentication data. You can send a 403 Forbidden response, which (in Netscape at least) will make the browser forget its authentication, but then the browser will immediately prompt the user to re-enter his username and password. This will confuse a lot of users, who will very likely re-enter their credentials, leaving themselves logged in. | I wish companies would focus on providing services as secure as possible at | their end. You only control *your* systems, so focus on securing *them*. | I think if you consider the benefits to yourselves and your customers it | should be obvious which architecture is better. The architecture of HTTP authentication, and the current implementations of it, are insufficient for secure services.
Current thread:
- Re: Intacct.com: Multiple bugs at financial services company Nagi Prabhu (Sep 05)
- Re: Intacct.com: Multiple bugs at financial services company Jeffrey W. Baker (Sep 05)
- Re: Intacct.com: Multiple bugs at financial services company Chris L. Mason (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Peter W (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Alan DeKok (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Andrew Pimlott (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Aaron Bentley (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Rob Mayoff (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Matt Power (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Chris L. Mason (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Ryan Russell (Sep 05)
- <Possible follow-ups>
- Re: Intacct.com: Multiple bugs at financial services company Smith, Eric V. (Sep 07)
- Re: Intacct.com: Multiple bugs at financial services company Jeffrey W. Baker (Sep 05)