Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Remembering Passwords in IE

Re: Remembering Passwords in IE

From: Dom De Vitto <dom_at_DEVITTO.COM>
Date: Mon, 10 Apr 2000 21:01:25 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ooops, further checking with collegues showed:

IE *doesn't* display the pages on https://www-test.whaver.com
but Netscape (4.6) does pop up a box as I said.

Interestingly, IE doesn't complain, it just shows a blank page.

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto Secure Technologies Ltd
mailto:dom_at_devitto.com Mob. 07971 589 201
http://www.devitto.com Tel. 01202 738 767
PGP: http://www.devitto.com/pgpkey.asc Fax. 08700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- -----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV_at_SECURITYFOCUS.COM]On Behalf Of Bob
Sent: Saturday, April 08, 2000 3:33 PM
To: VULN-DEV_at_SECURITYFOCUS.COM
Subject: Re: Remembering Passwords in IE

Thawte issues wildcard certs for $500US.

Bob Madore

Hal Lockhart wrote:
>
> I suspect that anybody who charges by the cert is not going to want to issue
> you a wildcard cert instead of multiples.
>
> Hal
>
> ===========================================================
> Harold W. Lockhart Jr. StorageNetworks, Inc.
> Voice: 781-434-6741 100 Fifth Avenue
> Fax: 781-434-6799 Waltham, MA 02451
> hal.lockhart_at_storagenetworks.com www.storagenetworks.com
> ===========================================================
>
> > The hostname->subject common name check isn't optional (or shouldn't
> > be and doesn't appear to be on NS and IE5), but both browsers
> > support the use of a '*' wildcard to allow matching multiple
> > machines in a single domain.
> >
> > So a certificate issued to *.example.com would pass the name
> > check for www.example.com, test.example.com, and rogue.example.com.
> > The version 4 browsers (I haven't tried this lately) would
> > allow the * to be used to mask out larger namespaces (e.g.,
> > *.com). I don't remember, but it seems that one or more
> > browsers allowed a common name of '*' to match any domain name.
> >
> > In practice, the rogue use of this feature (e.g., getting a
> > cert issued to '*' rather than '*.example.com') is supposed to
> > be prevented by diligent Certification Authorities. Are all
> > the issuing CAs under these 107 trusted root CAs that ship
> > with IE5 applying this diligence? Your guess is as good as mine.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com>
Comment: Public key available from certserver.pgp.com

iQA/AwUBOPIzFH8ZJe4Z69ciEQJ4nwCgzED/Cx/3grUqPV3QJLcJZ/I4MUMAn27S
6vJc1PJsCi/37MCp5nioglRt
=9/co
-----END PGP SIGNATURE-----

<HR NOSHADE>
<UL>
<LI>text/x-vcard attachment: Domenico_De_Vitto.vcf
</UL>
Received on Apr 10 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos