Vulnerability Development mailing list archives
Re: Remembering Passwords in IE
From: dom () DEVITTO COM (Dom De Vitto)
Date: Wed, 5 Apr 2000 18:35:02 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've a client that has two sets of systems, live and test. Live systems are https://www.whatever, test is https://www-test.whatever Though setup with identical files & certs (just different names) www-test never spits out any complaints from our browsers.... I think the hostname->cert matching is "optional"... Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd mailto:dom () devitto com Mob. 07971 589 201 http://www.devitto.com Tel. 01202 738 767 PGP: http://www.devitto.com/pgpkey.asc Fax. 08700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: Bluefish [mailto:11a () gmx net] Sent: Wednesday, April 05, 2000 1:08 PM To: Dom De Vitto Cc: VULN-DEV () SECURITYFOCUS COM Subject: RE: Remembering Passwords in IE LOL! Is this really true? (I haven't experimented much in this field). If it is, what else can you do than have a laugh at commercial "security"? It would seem that lack of warnings in IE totally renders the use of https (to protect against fraudalent systems) to a complete waste of time? Could you please send more details? Using a somewhat new version of IE, I get the following warnings when trying to access a "snakeoil-certified" server: 1. issued by a company you don't trust, 2. name of the site does not match name of certificate. It would be possible to avoid this problems you mean, and still use the https protocoll? If so, how? Of course, you could always move the https parts to http. Unless the entire site is normally available only via https, the avarage user is not likely to note the difference...
Unfortunately https doesn't help any either, because IE doesn't rigourously enforce that a site and it's certifcate match. Netscape at least prompts your, but gives you a checkbox for "don't ask this again"....doh!
..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> Comment: Public key available from certserver.pgp.com iQA/AwUBOOt5RX8ZJe4Z69ciEQI59QCdFf+v2BqteM/elkHKYoQroGVoAhkAnjik oIlRMHV/5jvIsCO3bosh2mk6 =I20h -----END PGP SIGNATURE----- <HR NOSHADE> <UL> <LI>text/x-vcard attachment: Domenico_De_Vitto.vcf </UL>
Current thread:
- Re: Remembering Passwords in IE Mikael Olsson (Apr 01)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
- Re: Remembering Passwords in IE Mikael Olsson (Apr 02)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 04)
- Re: Remembering Passwords in IE Bluefish (Apr 05)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 05)
- Re: Remembering Passwords in IE Scott Renfro (Apr 06)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
- <Possible follow-ups>
- Re: Remembering Passwords in IE Hal Lockhart (Apr 07)
- Re: Remembering Passwords in IE Scott Renfro (Apr 07)
- Re: Remembering Passwords in IE Matthew S. Hallacy (Apr 07)
- Re: Remembering Passwords in IE Bob (Apr 08)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 10)
- Re: Remembering Passwords in IE Bluefish (Apr 11)