Vulnerability Development mailing list archives
Re: Remembering Passwords in IE
From: dom () DEVITTO COM (Dom De Vitto)
Date: Mon, 10 Apr 2000 21:01:25 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ooops, further checking with collegues showed: IE *doesn't* display the pages on https://www-test.whaver.com but Netscape (4.6) does pop up a box as I said. Interestingly, IE doesn't complain, it just shows a blank page. Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd mailto:dom () devitto com Mob. 07971 589 201 http://www.devitto.com Tel. 01202 738 767 PGP: http://www.devitto.com/pgpkey.asc Fax. 08700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Bob Sent: Saturday, April 08, 2000 3:33 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Remembering Passwords in IE Thawte issues wildcard certs for $500US. Bob Madore Hal Lockhart wrote:
I suspect that anybody who charges by the cert is not going to want to issue you a wildcard cert instead of multiples. Hal =========================================================== Harold W. Lockhart Jr. StorageNetworks, Inc. Voice: 781-434-6741 100 Fifth Avenue Fax: 781-434-6799 Waltham, MA 02451 hal.lockhart () storagenetworks com www.storagenetworks.com ===========================================================The hostname->subject common name check isn't optional (or shouldn't be and doesn't appear to be on NS and IE5), but both browsers support the use of a '*' wildcard to allow matching multiple machines in a single domain. So a certificate issued to *.example.com would pass the name check for www.example.com, test.example.com, and rogue.example.com. The version 4 browsers (I haven't tried this lately) would allow the * to be used to mask out larger namespaces (e.g., *.com). I don't remember, but it seems that one or more browsers allowed a common name of '*' to match any domain name. In practice, the rogue use of this feature (e.g., getting a cert issued to '*' rather than '*.example.com') is supposed to be prevented by diligent Certification Authorities. Are all the issuing CAs under these 107 trusted root CAs that ship with IE5 applying this diligence? Your guess is as good as mine.
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> Comment: Public key available from certserver.pgp.com iQA/AwUBOPIzFH8ZJe4Z69ciEQJ4nwCgzED/Cx/3grUqPV3QJLcJZ/I4MUMAn27S 6vJc1PJsCi/37MCp5nioglRt =9/co -----END PGP SIGNATURE----- <HR NOSHADE> <UL> <LI>text/x-vcard attachment: Domenico_De_Vitto.vcf </UL>
Current thread:
- Re: Remembering Passwords in IE, (continued)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
- Re: Remembering Passwords in IE Mikael Olsson (Apr 02)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 04)
- Re: Remembering Passwords in IE Bluefish (Apr 05)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 05)
- Re: Remembering Passwords in IE Scott Renfro (Apr 06)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
- Re: Remembering Passwords in IE Scott Renfro (Apr 07)
- Re: Remembering Passwords in IE Matthew S. Hallacy (Apr 07)
- Re: Remembering Passwords in IE Bob (Apr 08)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 10)
- Re: Remembering Passwords in IE Bluefish (Apr 11)