Re: Remembering Passwords in IE

[11a () GMX NET (Bluefish)]

Well to begin with, I think the discussions have shown that with a clever
attack it should be very possible to fool the avarage user. Then it looks
like there are browser setups/versions which are insanly weird with their
handling of https errors, which should ease an attack if the users setup
is known & can be tested securely (which is a fact in a lot of companies)

> IE *doesn't* display the pages on https://www-test.whaver.com
> but Netscape (4.6) does pop up a box as I said.
> Interestingly, IE doesn't complain, it just shows a blank page.

Sigh, how sadly. Try and download the latest versions on a new computer
and see if it's fixed. Otherwise you should contact Netscape/Microsoft
about this I think. But, what kind of certificate is this? Who is the
is it?

I mean, if it's issued www.whaver.com, it's insanly that this goes through
Netscape check. If it's *.whaver.com, it's strange that IE doesn't warn.
Also, this wildcard support sounds dangerous to me. Sounds like a bad
security practice to use the same cert on different sites.

Another thingy that someone said something about was weather you trusted
issuers 100% about not issuing wildcards. Schneier's made similar points
regarding issuers in cryptogram. As I see it, people semi-aware of https
tends to trust certified systems more than uncertified. But how much
bribes/risks are bad guys ready to give/take to get a certification of * ?
(that's _any_ site)

Would a worker at a certification issuer do the crime if offered more
money than he earned before in his entrie life? And what would the price
of this certificate be among professional crimminals?

Anyone here have any knowledge of if current certification system in
use for https has the ability to *revoke* issues and/or issuers?

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team