[
Lists Home |
Date Index |
Thread Index
]
On Tuesday, January 06, 2004 3:53 PM EDT, Elliotte Rusty Harold
wrote:
> they actually are. HTTP authentication and cookie based
> authentication are equally vulnerable to this style of social
> engineering.
Hello Elliotte:
I realize that the manipulated use of the "@" sign in a URL is social
engineering, the problem lies in programs that block the use of such URLS,
even for legitimate purposes. At the time I wrote the initial message I
knew of a firm that that was blocking HTTP traffic with URLs that contained
the "@" sign in their Checkpoint firewall. Seems now that Microsoft will
also deem the "@" sign to be sinister. Another article from eWeek, this
time on what Microsoft intends to do with "@" signs in Internet Explorer:
http://www.eweek.com/article2/0,4149,1473485,00.asp?kc=EWNWS012904DTX1K00005
99
The Microsoft bulletin is located at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q834489
An excerpt from the above article:
"If you include HTTP or HTTPS URLs that contain user information in your
scripting code, to manage state information, change your scripting code to
use cookies instead of user information. For additional information about
how to use cookies to manage state information, visit the following Internet
Engineering Task Force (IETF) Web site:
http://www.ietf.org/rfc/rfc2965.txt";
It may become more difficult to clients to participate in HTTP
authentication without using cookies.
Regards,
Ralph
|
