Vulnerability Development mailing list archives

Re: Remembering Passwords in IE

From: 11a () GMX NET (Bluefish)
Date: Sun, 2 Apr 2000 22:08:28 +0200


Mikeal, we are discussing two different topics. Agreed, the best fix is to
simply chose not to use password remembering, but what actually was
discussed was (if I understood the thread correctly) that

   http://www.test.com/~foo
   http://www.test.com/~bar

will 'remember' the same password if authName is the same. Actually, it is
worse, if you send password to ~foo, it will be sent automaticly to ~bar
as soon as you try to access them. My mail was adressing that issue and
discussed it. What I ment couldn't be fixed on clientside was to determin
weather ~bar actually has the same webmaster as ~foo as long as the httpd
allowed the webmasters to set up the same authName.

*ahem* You're completely forgetting about sniffing passwords
off the wire and DNS poisoning. This should be fixed in the
browser, and the correct fix is to nuke all password caching.


That is *far* from a fix. If you assume that attacker is poisoning your
DNS (or doing DNS hijacking or whatever), it seems fairly reasonable the
attacker also has the means to wget your site and mirror it on the
fraudalent system. Alas, the user will enter the password even if IE
doesn't remember it. If you intend to protect your system against that
kind of attacks, the use authentication and encryption (https) should be a
minimum.

And the same goes for protection against sniffing.

If there's a feature that makes life easier for Joe User, he
will use it, with no concern for security simply because he
didn't know there was a concern in the first place.


Agreed. I'm not saying password caching is good, it's quite bad
(especially if you cannot provide 24h/d supervisorisation of your
workstation). That was pointed out when IE was released, but apperently
the market demand for the function was so big that MS chosed to ignore the
need to remove the option.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Current thread:

Re: Remembering Passwords in IE Mikael Olsson (Apr 01)
- Re: Remembering Passwords in IE Bluefish (Apr 02)
  - Re: Remembering Passwords in IE Mikael Olsson (Apr 02)
  - Re: Remembering Passwords in IE Dom De Vitto (Apr 04)
    - Re: Remembering Passwords in IE Bluefish (Apr 05)
    - Re: Remembering Passwords in IE Dom De Vitto (Apr 05)
    - Re: Remembering Passwords in IE Scott Renfro (Apr 06)
- <Possible follow-ups>
- Re: Remembering Passwords in IE Hal Lockhart (Apr 07)
  - Re: Remembering Passwords in IE Scott Renfro (Apr 07)
  - Re: Remembering Passwords in IE Matthew S. Hallacy (Apr 07)
  - Re: Remembering Passwords in IE Bob (Apr 08)
    - Re: Remembering Passwords in IE Dom De Vitto (Apr 10)

(Thread continues...)