Re: Remembering Passwords in IE

[dom () DEVITTO COM (Dom De Vitto)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Unfortunately https doesn't help any either, because IE doesn't
rigourously enforce that a site and it's certifcate match.

Netscape at least prompts your, but gives you a checkbox for
"don't ask this again"....doh!

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                  Secure Technologies Ltd
mailto:dom () devitto com                             Mob. 07971 589 201
http://www.devitto.com                             Tel. 01202 738 767
PGP: http://www.devitto.com/pgpkey.asc             Fax. 08700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- -----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
Bluefish
Sent: Sunday, April 02, 2000 9:08 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Remembering Passwords in IE

Mikeal, we are discussing two different topics. Agreed, the best fix is to
simply chose not to use password remembering, but what actually was
discussed was (if I understood the thread correctly) that

   http://www.test.com/~foo
   http://www.test.com/~bar

will 'remember' the same password if authName is the same. Actually, it is
worse, if you send password to ~foo, it will be sent automaticly to ~bar
as soon as you try to access them. My mail was adressing that issue and
discussed it. What I ment couldn't be fixed on clientside was to determin
weather ~bar actually has the same webmaster as ~foo as long as the httpd
allowed the webmasters to set up the same authName.

> *ahem* You're completely forgetting about sniffing passwords
> off the wire and DNS poisoning. This should be fixed in the
> browser, and the correct fix is to nuke all password caching.

That is *far* from a fix. If you assume that attacker is poisoning your
DNS (or doing DNS hijacking or whatever), it seems fairly reasonable the
attacker also has the means to wget your site and mirror it on the
fraudalent system. Alas, the user will enter the password even if IE
doesn't remember it. If you intend to protect your system against that
kind of attacks, the use authentication and encryption (https) should be a
minimum.

And the same goes for protection against sniffing.

> If there's a feature that makes life easier for Joe User, he
> will use it, with no concern for security simply because he
> didn't know there was a concern in the first place.

Agreed. I'm not saying password caching is good, it's quite bad
(especially if you cannot provide 24h/d supervisorisation of your
workstation). That was pointed out when IE was released, but apperently
the market demand for the function was so big that MS chosed to ignore the
need to remove the option.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com>
Comment: Public key available from certserver.pgp.com

iQA/AwUBOOo2YH8ZJe4Z69ciEQL76ACgzAOVD9sCJFAyj0XB1YegsSkXi10AoLXL
YnXi/rrBaiRXXC28CVfZ4qYW
=4/1f
-----END PGP SIGNATURE-----

<HR NOSHADE>
<UL>
<LI>text/x-vcard attachment: Domenico_De_Vitto.vcf
</UL>