1995-12-20 - Re: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b
Header Data
From: “Karl A. Siil” <karl@cosmos.cosmos.att.com>
To: cypherpunks@toad.com
Message Hash: 25c1b832acc8e21bfd6958dedf2d672e3fb71edf7fd74c1a08f3be3c01321c48
Message ID: <2.2b9.32.19951220115525.0069303c@cosmos.cosmos.att.com>
Reply To: N/A
UTC Datetime: 1995-12-20 11:57:41 UTC
Raw Date: Wed, 20 Dec 95 03:57:41 PST
Raw message
From: "Karl A. Siil" <karl@cosmos.cosmos.att.com>
Date: Wed, 20 Dec 95 03:57:41 PST
To: cypherpunks@toad.com
Subject: Re: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b
Message-ID: <2.2b9.32.19951220115525.0069303c@cosmos.cosmos.att.com>
MIME-Version: 1.0
Content-Type: text/plain
At 05:46 PM 12/18/95 -0800, Rich Graves wrote:
>Except for the bit about the file not being deleted after quitting
>Netscape (which is Bad), this is old news. This is why security-conscious
>sites like banking.wellsfargo.com ask for passwords in an SSL-encrypted
>form rather than via simple browser authentication.
On a related note, how does Netscape (or HTTP in general) authenticate using
the password? My best guess, without a sniffer, is (making up error codes as
I go along, but you get the point):
Browser Sends: GET ...
Server Replies: 4xx (3xx? 2xx?) Sorry. I need authentication.
Browser (after querying user): GET along with user-name/password
Server: ...whatever the page is...
Given that, what allows me to go on and see other (protected) pages on the
same server without being re-prompted? Is it a similar conversation to the
one above or does the browser broadcast the password on every subsequent
request? I cannot ascertain the behavior by going to another site protected
by a different password. Either one is possible. What I'm hoping happens
with multiple sites is:
Browser Sends: GET ...
Server Replies: 4xx (3xx? 2xx?) Sorry. I need authentication.
Browser (after querying user): GET along with user-name/password
Server: ...whatever the page is...
(1)Browser (to a different server): GET ...
Server2: 4xx (3xx? 2xx?) Sorry. I need authentication.
Browser: user-name/password cached from before
Server2: 4xx (3xx? 2xx?) Sorry. That's not it. I need authentication.
(2)Browser (after re-querying user): GET user-name2/password2
Server: ...whatever the page is...
The broadcast option would change (1) to (2) above to:
(1)Browser (to a different server): GET along with user-name/password
Server2: 4xx (3xx? 2xx?) Sorry. (That's not it?) I need authentication.
(2)Browser (after re-querying user): GET user-name2/password2
Admittedly, the second one is more optimal, but does this mean it would
broadcast the user/passwd to every site? Even the first option winds up
sending wrong passwords to other servers. Does the browser re-prompt if it
detects a new IP address or a different sub-tree of the same server?
Anyway, lots of conjecture (sp?) here. Does anyone know how it really works
or can point me at a reference? Thanks.
Karl
Thread
Return to December 1995
- Return to “Jeff Barber <jeffb@sware.com>”
Return to ““Karl A. Siil” <karl@cosmos.cosmos.att.com>”
- 1995-12-20 (Wed, 20 Dec 95 03:57:41 PST) - Re: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b - “Karl A. Siil” <karl@cosmos.cosmos.att.com>
- 1995-12-20 (Wed, 20 Dec 95 06:24:48 PST) - Re: (Fwd) SECURITY ALERT: Password protection bug in Netscape - Jeff Barber <jeffb@sware.com>