Vulnerability Development mailing list archives

Re: Remembering Passwords in IE

From: dom () DEVITTO COM (Dom De Vitto)
Date: Wed, 5 Apr 2000 18:35:02 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've a client that has two sets of systems, live and test.

Live systems are https://www.whatever, test is https://www-test.whatever

Though setup with identical files & certs (just different names)
www-test never spits out any complaints from our browsers....

I think the hostname->cert matching is "optional"...

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                  Secure Technologies Ltd
mailto:dom () devitto com                             Mob. 07971 589 201
http://www.devitto.com                             Tel. 01202 738 767
PGP: http://www.devitto.com/pgpkey.asc             Fax. 08700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- -----Original Message-----
From: Bluefish [mailto:11a () gmx net]
Sent: Wednesday, April 05, 2000 1:08 PM
To: Dom De Vitto
Cc: VULN-DEV () SECURITYFOCUS COM
Subject: RE: Remembering Passwords in IE

LOL! Is this really true? (I haven't experimented much in this field).
If it is, what else can you do than have a laugh at commercial "security"?
It would seem that lack of warnings in IE totally renders the use of https
(to protect against fraudalent systems) to a complete waste of time?

Could you please send more details? Using a somewhat new version of IE, I
get the following warnings when trying to access a "snakeoil-certified"
server: 1. issued by a company you don't trust, 2. name of the site does
not match name of certificate. It would be possible to avoid this problems
you mean, and still use the https protocoll? If so, how?

Of course, you could always move the https parts to http. Unless
the entire site is normally available only via https, the avarage user is
not likely to note the difference...

Unfortunately https doesn't help any either, because IE doesn't
rigourously enforce that a site and it's certifcate match.

Netscape at least prompts your, but gives you a checkbox for
"don't ask this again"....doh!


..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu  
    eleventh alliance development & security team       

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com>
Comment: Public key available from certserver.pgp.com

iQA/AwUBOOt5RX8ZJe4Z69ciEQI59QCdFf+v2BqteM/elkHKYoQroGVoAhkAnjik
oIlRMHV/5jvIsCO3bosh2mk6
=I20h
-----END PGP SIGNATURE-----

<HR NOSHADE>
<UL>
<LI>text/x-vcard attachment: Domenico_De_Vitto.vcf
</UL>

Current thread:

Re: Remembering Passwords in IE Mikael Olsson (Apr 01)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
  - Re: Remembering Passwords in IE Mikael Olsson (Apr 02)
  - Re: Remembering Passwords in IE Dom De Vitto (Apr 04)
    - Re: Remembering Passwords in IE Bluefish (Apr 05)
    - Re: Remembering Passwords in IE Dom De Vitto (Apr 05)
    - Re: Remembering Passwords in IE Scott Renfro (Apr 06)
- <Possible follow-ups>
- Re: Remembering Passwords in IE Hal Lockhart (Apr 07)
  - Re: Remembering Passwords in IE Scott Renfro (Apr 07)
  - Re: Remembering Passwords in IE Matthew S. Hallacy (Apr 07)
  - Re: Remembering Passwords in IE Bob (Apr 08)
    - Re: Remembering Passwords in IE Dom De Vitto (Apr 10)
    - Re: Remembering Passwords in IE Bluefish (Apr 11)