ENH> As you've seen in this discussion thread, a lot of sysadmins *here*
ENH> didn't realize that passwords were being sent over HTTPS, and
ENH> imagined that accessing those server-side would be complex memory
ENH> scanners, not just a simple edit to the PHP file that the POST
ENH> request targets. Raising awareness is a good thing.
I've been busy and haven't been following all the details of this thread
carefully, but if you'd asked
1. When you go to an HTTPS web site, and enter a username and password, is
your password sent to the server?
2. If your password were sent to the server, would it be possible to
intercept that password by inserting malicious code on the server?
I would have been amazed if any sysadmin on this list wouldn't have gotten
the right answers (which seem to be me to be pretty obviously "of course"
and "of course").
Don't get me wrong, I still think better authentication management
technology would be a good idea. But I also still think that saying that
to a bunch of sysadmins is pretty well preaching to the choir.
If you want to change things, figure this out: Why hasn't this *already*
been done? I sure don't know (largely for lack of trying), but if you can
figure it out, and identify the obstacles, and work to overcome them,
that'll be a huge and awesome contribution to security.
"Raising awareness" that if you send someone your password, then they have
your password? Any IT professional who doesn't already know that is pretty
new at this.
-Josh ([email protected])
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
