Full Disclosure mailing list archives
Re: NO-IP service Flaw
From: Valdis.Kletnieks () vt edu
Date: Tue, 27 Jan 2009 11:57:51 -0500
On Tue, 27 Jan 2009 00:41:59 GMT, infolookup () gmail com said:
What if you are sniffing the traffic for any http session the information is submitted in clear text.
If you're traffic sniffing, you'll see the data whether it's GET or POST. The distinction becomes important for things like http proxies and things that log/remember URLs - it's somewhat bad form to leave a userid/password sitting right there in the browser 'recent URLS' list or in a logfile someplace. If you're passing the data in the URL, at best it can be obfuscated and reversed fairly easily (unless you've got enough Javascript to pop open a dialog window and use an entered value as a salt for encrypting before transmission). Yes, the proper thing to do here is a POST over https. Personally, I'm surprised that a frikking *domain registrar* is that clueless about basic security (the *biggest* issue in what would otherwise be a pretty minor vulnerability). Or maybe I'm not, actually.. I wonder what *else* they got wrong?
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NO-IP service Flaw Tribal MP (Jan 26)
- Re: NO-IP service Flaw ghost (Jan 26)
- Re: NO-IP service Flaw infolookup (Jan 26)
- Re: NO-IP service Flaw Valdis . Kletnieks (Jan 27)
- Re: NO-IP service Flaw infolookup (Jan 26)
- Re: NO-IP service Flaw ghost (Jan 26)