Vulnerability Development mailing list archives
Re: Remembering Passwords in IE
From: 11a () GMX NET (Bluefish)
Date: Tue, 11 Apr 2000 12:33:13 +0200
Well to begin with, I think the discussions have shown that with a clever attack it should be very possible to fool the avarage user. Then it looks like there are browser setups/versions which are insanly weird with their handling of https errors, which should ease an attack if the users setup is known & can be tested securely (which is a fact in a lot of companies)
IE *doesn't* display the pages on https://www-test.whaver.com but Netscape (4.6) does pop up a box as I said. Interestingly, IE doesn't complain, it just shows a blank page.
Sigh, how sadly. Try and download the latest versions on a new computer and see if it's fixed. Otherwise you should contact Netscape/Microsoft about this I think. But, what kind of certificate is this? Who is the is it? I mean, if it's issued www.whaver.com, it's insanly that this goes through Netscape check. If it's *.whaver.com, it's strange that IE doesn't warn. Also, this wildcard support sounds dangerous to me. Sounds like a bad security practice to use the same cert on different sites. Another thingy that someone said something about was weather you trusted issuers 100% about not issuing wildcards. Schneier's made similar points regarding issuers in cryptogram. As I see it, people semi-aware of https tends to trust certified systems more than uncertified. But how much bribes/risks are bad guys ready to give/take to get a certification of * ? (that's _any_ site) Would a worker at a certification issuer do the crime if offered more money than he earned before in his entrie life? And what would the price of this certificate be among professional crimminals? Anyone here have any knowledge of if current certification system in use for https has the ability to *revoke* issues and/or issuers? ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: Remembering Passwords in IE, (continued)
- Re: Remembering Passwords in IE Mikael Olsson (Apr 02)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 04)
- Re: Remembering Passwords in IE Bluefish (Apr 05)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 05)
- Re: Remembering Passwords in IE Scott Renfro (Apr 06)
- Re: Remembering Passwords in IE Scott Renfro (Apr 07)
- Re: Remembering Passwords in IE Matthew S. Hallacy (Apr 07)
- Re: Remembering Passwords in IE Bob (Apr 08)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 10)
- Re: Remembering Passwords in IE Bluefish (Apr 11)