Full Disclosure mailing list archives
Re: Interesting side effect of the new IE patch
From: Stefan Esser <s.esser () e-matters de>
Date: Fri, 6 Feb 2004 19:28:18 +0100
Hi again, On Fri, Feb 06, 2004 at 05:01:21PM +1300, Nick FitzGerald wrote:
Hmmmmm, a security researcher employed by a web development company advocating the use of non-standards compliant features that have obvious security concerns...
Ohh yeah. As if a part time job has anything todo with my opinion. And I havent advocated non standard compliant features. I just said, that people using it, people implementing it into their browser make it a standard, no matter what your opinion is, or what the RFC writes. Again NTSC was explicitly not the standard for color television, but the inventor did not give up after his first try failed and simply worked against the standard and so NTSC became the standard, no matter that the other system was better or not. (Ohh yeah we should really get rid of NTSC, luckily I l?ve in PAL land) You may like it or not, HTTP URLs with username:password became a standard with IE 3.0 You should have raised your voice years ago against it but you have not. Now it is a widely used feature and it is more than arrogant to say that people who use it are dumb because they use something that is everywhere supported but is forbidden by some RFC Security concerns: a) people write passwords into their URLs (valid point) (but if they cannot write it into URLs they will store it into IE password remembering function or attach some notes to their monitor, so removing this feature has NOT improved security) b) people are too dumb to recognise that this is not part of the real URL. (This is NOT a valid point because then we have to remove the possibility to send files attached to emails, because people are dumb enough to open virus executables) Well according to your logic, people should learn about IE first and if they are to dumb to know that this is not part of the real URL they deserve to loose money. Which is exactly your argumentation against people who violated the law which you see defined in RFCs
How odd!
Yes how odd. Stefan -- -------------------------------------------------------------------------- Stefan Esser s.esser () e-matters de e-matters Security http://security.e-matters.de/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69 -------------------------------------------------------------------------- Did I help you? Consider a gift: http://wishlist.suspekt.org/ -------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Interesting side effect of the new IE patch, (continued)
- Re: Interesting side effect of the new IE patch Cael Abal (Feb 05)
- Re: Interesting side effect of the new IE patch Szilveszter Adam (Feb 06)
- Re: Interesting side effect of the new IE patch BlueRaven (Feb 06)
- Re: Interesting side effect of the new IE patch Byron Copeland (Feb 06)
- RE: Interesting side effect of the new IE patch Bill Royds (Feb 05)
- Re: Interesting side effect of the new IE patch Stefan Esser (Feb 06)
- Re: Interesting side effect of the new IE patch Valdis . Kletnieks (Feb 06)
- Message not available
- Re: Interesting side effect of the new IE patch Stefan Esser (Feb 06)
- RE: Interesting side effect of the new IE patch Bill Royds (Feb 06)
- Re: Interesting side effect of the new IE patch Nick FitzGerald (Feb 05)
- Re: Interesting side effect of the new IE patch Stefan Esser (Feb 06)
- Re: Interesting side effect of the new IE patch Dave Sherohman (Feb 06)
- Re: Interesting side effect of the new IE patch Valdis . Kletnieks (Feb 06)
- Re: Interesting side effect of the new IE patch Stefan Esser (Feb 06)
- Re: Interesting side effect of the new IE patch Szilveszter Adam (Feb 06)
- Re: Interesting side effect of the new IE patch Martin Peikert (Feb 06)