Hi again, On Fri, Feb 06, 2004 at 05:01:21PM +1300, Nick FitzGerald wrote: > Hmmmmm, a security researcher employed by a web development company > advocating the use of non-standards compliant features that have > obvious security concerns...
Ohh yeah. As if a part time job has anything todo with my opinion. And I havent advocated non standard compliant features. I just said, that people using it, people implementing it into their browser make it a standard, no matter what your opinion is, or what the RFC writes. Again NTSC was explicitly not the standard for color television, but the inventor did not give up after his first try failed and simply worked against the standard and so NTSC became the standard, no matter that the other system was better or not. (Ohh yeah we should really get rid of NTSC, luckily I líve in PAL land) You may like it or not, HTTP URLs with username:password became a standard with IE 3.0 You should have raised your voice years ago against it but you have not. Now it is a widely used feature and it is more than arrogant to say that people who use it are dumb because they use something that is everywhere supported but is forbidden by some RFC Security concerns: a) people write passwords into their URLs (valid point) (but if they cannot write it into URLs they will store it into IE password remembering function or attach some notes to their monitor, so removing this feature has NOT improved security) b) people are too dumb to recognise that this is not part of the real URL. (This is NOT a valid point because then we have to remove the possibility to send files attached to emails, because people are dumb enough to open virus executables) Well according to your logic, people should learn about IE first and if they are to dumb to know that this is not part of the real URL they deserve to loose money. Which is exactly your argumentation against people who violated the law which you see defined in RFCs > How odd! Yes how odd. Stefan -- -------------------------------------------------------------------------- Stefan Esser [EMAIL PROTECTED] e-matters Security http://security.e-matters.de/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69 -------------------------------------------------------------------------- Did I help you? Consider a gift: http://wishlist.suspekt.org/ -------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html