mailing list archives
Re: Intacct.com: Multiple bugs at financial services company
From: Andrew Pimlott <andrew () PIMLOTT NE MEDIAONE NET>
Date: Wed, 6 Sep 2000 15:13:55 -0400
On Wed, Sep 06, 2000 at 07:48:01AM -0400, Chris L. Mason wrote:
I think there's a solution to this "problem" that is far too often
overlooked. More sites simply need to start using HTTP Basic
If you think this is the solution, you don't understand the
cross-site scripting class of vulnerabilities. Honest. Read
http://www.apache.org/info/css-security/ a few times.
HTTP authentication is just a limited cookie. It is basically not
possible for HTTP authentication to be more secure than cookies
(modulo implementation quirks). It can be less secure, because
there is no standard way to force (more accurately, advise)
expiration. If you don't understand why this is desirable, see
above. Hint: this is about protecting the client, not protecting
4. One user of a service can email another a URL from within the site, and
the other user can actually use it, *and* be authenticated properly
with their own id!
Exactly the problem. Do you really want
to "just work"? If you don't think I can trick you into going to
that URL, I bet you're wrong.
I wish companies would focus on providing services as secure as possible at
their end. You only control *your* systems, so focus on securing *them*.
Sure, let's all ignore our customers' security. In fairness,
hotmail.com, intacct.com, and many other sites seem to agree.