Full Disclosure mailing list archives
RE: Interesting side effect of the new IE patch
From: "Bill Royds" <full-disclosure () royds net>
Date: Fri, 6 Feb 2004 20:38:32 -0500
NTSC has been the North American television standard since 1945 (it stands for National Television Standards Committee). Where are you saying it is non-standard. It is just that there are more than one group setting standards as in computers. The IETF sets standards for the Internet. ISO sets standards for X.25 packet switching. If you don't like IETF standards, disconnect now and use X.25 (if you can find it). By your logic, one should never use anything other than Windows since it is the "de facto" standard and never connect to any other network than AOL, since it has a large share of the market. Standards are agreed to by a standards body, not a single manufacturer nor just common use. Often standards bodies will try to codify common use into a standard. But if the standards body is doing its job, it will find unsafe usage (such as the userinfo@ convention) and delete it from the published standard. Standards often reach an end of lifetime because they are inadequate for later technology. Are you still using leaded gasoline in your car because it was once the standard? Microsoft saw the error of their deviation from the standard and has fixed it. The world changes. Get over it. Oh yes, in a number of jurisdictions, it is now illegal to have a cell phone connected while driving. People own up to mistakes and fix them. Will you? Headers allow the transmittal of authentication information at initial call, allowing pre-programmed information rather than the returned error code and then authentication of BasicAuth. It covers the only possible legitimate use of the userinfo@host syntax. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Stefan Esser Sent: February 6, 2004 1:49 PM To: Bill Royds Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Interesting side effect of the new IE patch
Amy browser that allows an HTTP URL with an @ sign in it is buggy and
should
be fixed.
Blablabla. Anyone who bought a NTSC tv should give it back, cause it was not the standard at the time it was introduced.
HTTP URLs are not RFC compliant if the have the user:password@host syntax.
Yes and? Any car vendor who builds a phone into the car is also adding a feature which could compromise the security. Because it the statistic says that when you phone while driving you more often produce crashs. And correct me if I am wrong, but I do not see "phone" in the official definition of a car. So whoever added a phone to his cars first is obviously a very very bad guy. How is the car example different from HTTP URLs. Microsoft added a feature to the HTTP URLs. This is the way they work. They change standards into what they like. You may like that or not, but you absolutely CANNOT say that a browser that implements this feature is buggy. Because it isnt It just has a feature that is not covered by the standard. If humans would only be allowed to perform actions which are written down in some standard and not "improve" or change the way they act we would not have any inventions anymore. You may like it or not. It was maybe braindead or not to add this feature. BUT you simply cannot call it a bug, because it was implemented into the browsers on purpose and not by accident (Well maybe with IE as exception)
Microsoft fixed their bug and you are complaining about a bug and vulnerability fix because it removes some exploits.
Where am I complaining about Microsoft fixing the 0x01 vulnerability?
Microsoft finally did the right thing and fixed their browsers. How long
do
you think it will take for Mozilla and Opera and Safari to change as well?
Yeah, we will see if the world is full of RFC compliant geeks.
The only thing that should be done for legitimate programmed uses of an account and password is to add HTTP headers to the RFC (RFC 2616) to allow Username, authentication type and password. USERNAME:DumbLuser Authentication-type:plainText Password:foolish
How would that be different from BasicAuth? And I hope your argument is not that the password is not transfered in plain text with BasicAuth... Stefan -- -------------------------------------------------------------------------- Stefan Esser s.esser () e-matters de e-matters Security http://security.e-matters.de/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69 -------------------------------------------------------------------------- Did I help you? Consider a gift: http://wishlist.suspekt.org/ -------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Interesting side effect of the new IE patch, (continued)
- Re: Interesting side effect of the new IE patch Nick FitzGerald (Feb 05)
- Re: Interesting side effect of the new IE patch BlueRaven (Feb 06)
- Re: Interesting side effect of the new IE patch Cael Abal (Feb 05)
- Re: Interesting side effect of the new IE patch Szilveszter Adam (Feb 06)
- Re: Interesting side effect of the new IE patch BlueRaven (Feb 06)
- Re: Interesting side effect of the new IE patch Byron Copeland (Feb 06)
- RE: Interesting side effect of the new IE patch Bill Royds (Feb 05)
- Re: Interesting side effect of the new IE patch Stefan Esser (Feb 06)
- Re: Interesting side effect of the new IE patch Valdis . Kletnieks (Feb 06)
- Message not available
- Re: Interesting side effect of the new IE patch Stefan Esser (Feb 06)
- RE: Interesting side effect of the new IE patch Bill Royds (Feb 06)
- Re: Interesting side effect of the new IE patch Nick FitzGerald (Feb 05)
- Re: Interesting side effect of the new IE patch Stefan Esser (Feb 06)
- Re: Interesting side effect of the new IE patch Dave Sherohman (Feb 06)
- Re: Interesting side effect of the new IE patch Valdis . Kletnieks (Feb 06)
- Re: Interesting side effect of the new IE patch Stefan Esser (Feb 06)
- Re: Interesting side effect of the new IE patch Szilveszter Adam (Feb 06)
- Re: Interesting side effect of the new IE patch Martin Peikert (Feb 06)