Full Disclosure mailing list archives
Re: Plain Text Password Disclosure vulnerability in rediff mail
From: D-vice <lord.x86 () gmail com>
Date: Fri, 11 Sep 2009 12:23:17 +0200
you the fuckard that got owned LULz On Fri, Sep 11, 2009 at 2:36 AM, Dan Kaminsky <dan () doxpara com> wrote:
Beyond that, most web applications that do use SSL, still forget to set their cookies to secure (see http://fscked.org/blog/incomplete-list-alleged-vulnerable-sites ). Not to mention the hordes of sites that have SSL logins off HTTP pages. Even the oft-repeated "well, the attacker won't get the plaintext password" claim falls to the attacker who inserts some screen or keyboard sniffing JS into the login page. That being said, there probably is some class of attacker that can only do passive monitoring as opposed to active interception. But it's not exactly a quantization to hang one's hat on. On Thu, Sep 10, 2009 at 5:36 PM, awf awf <lol-wut-hurr () live com> wrote:And? Every web application sends passwords as plain text unless they are using SSL. Pretty much any "encryption" that they may do client side that isn't SSL is meaningless. I hardly see how being able to sniff passwords from a site that isn't using SSL is big news. ------------------------------ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. Find out more.<http://windowslive.com/Campaign/SocialNetworking?ocid=PID23285::T:WLMTAGL:ON:WL:en-US:SI_SB_facebook:082009> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Plain Text Password Disclosure vulnerability in rediff mail awf awf (Sep 10)
- Re: Plain Text Password Disclosure vulnerability in rediff mail Dan Kaminsky (Sep 10)
- Re: Plain Text Password Disclosure vulnerability in rediff mail dramacrat (Sep 10)
- Re: Plain Text Password Disclosure vulnerability in rediff mail D-vice (Sep 11)
- Re: Plain Text Password Disclosure vulnerability in rediff mail Valdis . Kletnieks (Sep 11)
- Re: Plain Text Password Disclosure vulnerability in rediff mail D-vice (Sep 14)
- Re: Plain Text Password Disclosure vulnerability in rediff mail Dan Kaminsky (Sep 10)
- <Possible follow-ups>
- Re: Plain Text Password Disclosure vulnerability in rediff mail full-censorship (Sep 11)
- Re: Plain Text Password Disclosure vulnerability in rediff mail Valdis . Kletnieks (Sep 11)
- Re: Plain Text Password Disclosure vulnerability in rediff mail full-censorship (Sep 11)
- Re: Plain Text Password Disclosure vulnerability in rediff mail Rohit Patnaik (Sep 11)
- Re: Plain Text Password Disclosure vulnerability in rediff mail mrx (Sep 11)
- Re: Plain Text Password Disclosure vulnerability in rediff mail Lincoln Anderson (Sep 11)
- Re: Plain Text Password Disclosure vulnerability in rediff mail Rohit Patnaik (Sep 11)