Vulnerability Development mailing list archives
Re: Remembering Passwords in IE
From: 11a () GMX NET (Bluefish)
Date: Sun, 2 Apr 2000 22:08:28 +0200
Mikeal, we are discussing two different topics. Agreed, the best fix is to simply chose not to use password remembering, but what actually was discussed was (if I understood the thread correctly) that http://www.test.com/~foo http://www.test.com/~bar will 'remember' the same password if authName is the same. Actually, it is worse, if you send password to ~foo, it will be sent automaticly to ~bar as soon as you try to access them. My mail was adressing that issue and discussed it. What I ment couldn't be fixed on clientside was to determin weather ~bar actually has the same webmaster as ~foo as long as the httpd allowed the webmasters to set up the same authName.
*ahem* You're completely forgetting about sniffing passwords off the wire and DNS poisoning. This should be fixed in the browser, and the correct fix is to nuke all password caching.
That is *far* from a fix. If you assume that attacker is poisoning your DNS (or doing DNS hijacking or whatever), it seems fairly reasonable the attacker also has the means to wget your site and mirror it on the fraudalent system. Alas, the user will enter the password even if IE doesn't remember it. If you intend to protect your system against that kind of attacks, the use authentication and encryption (https) should be a minimum. And the same goes for protection against sniffing.
If there's a feature that makes life easier for Joe User, he will use it, with no concern for security simply because he didn't know there was a concern in the first place.
Agreed. I'm not saying password caching is good, it's quite bad (especially if you cannot provide 24h/d supervisorisation of your workstation). That was pointed out when IE was released, but apperently the market demand for the function was so big that MS chosed to ignore the need to remove the option. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: Remembering Passwords in IE Mikael Olsson (Apr 01)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
- Re: Remembering Passwords in IE Mikael Olsson (Apr 02)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 04)
- Re: Remembering Passwords in IE Bluefish (Apr 05)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 05)
- Re: Remembering Passwords in IE Scott Renfro (Apr 06)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
- <Possible follow-ups>
- Re: Remembering Passwords in IE Hal Lockhart (Apr 07)
- Re: Remembering Passwords in IE Scott Renfro (Apr 07)
- Re: Remembering Passwords in IE Matthew S. Hallacy (Apr 07)
- Re: Remembering Passwords in IE Bob (Apr 08)
- Re: Remembering Passwords in IE Dom De Vitto (Apr 10)